Magallanez said Bagle might be laying the groundwork for an updated version of the worm when the first version self-destructs as it is designed to do after Jan 28.
This is what happened with "Sobig," a worm that infected millions of PCs last year. The first version of Sobig appeared in January 2003, with new variants following soon after each previous version shut itself down. Sobig used backdoors installed from prior versions of itself to seed hundreds of thousands of computers with software that turned them into remotely controlled spamming machines. Security experts said that Bagle is not spreading as fast as the Sobig virus, though it has generated a high volume of e-mail.
Like the earlier worms, Bagle does not affect Macs or computers running the Linux and Unix operating systems.
Security researchers initially were baffled at the speed of the worm, said Ken Dunham, malicious code manager for iDefense, an Internet security firm based in Reston, Va.
They attributed the worm's high infection rate to curious home and small office computer users who could not resist clicking on the attachment. When users open the attachment it launches the calculator function included on the Windows operating system, a diversion to keep people from realizing that something else is happening to their computer.
"Bagle expands the common understanding of social engineering to include the component of curiosity," said Dunham. "... It just shows that the old tricks still work just fine and you don't have to be that brilliant of an attacker to spread a mass-mailing worm."
Larger corporations are not expected to suffer as much damage because they use current anti-virus software and firewalls to block e-mail messages bearing executable files.
The computer security community recommends that home computer owners never click on attachments unless they are expecting them from a trusted source. They also recommend that PC owners install and run up-to-date anti-virus programs to scan for computer infections.