Another round of Bagles hit the net today. There were two main executables mass-spammed through previously infected systems. Both were classified as W32/Bagle.fb (one was simply a repackaging of the other). This variant used a trick more commonly seen in Bagle variants two years ago, but less since. The virus sends itself in a password protected ZIP archive and the code needed to unlock the ZIP is sent along with the email messages as a .GIF image attachment.

McAfee VirusScan users were protected from the executables within these password protected ZIPs; detected as either W32/Bagle.dldr or New Malware.b (packed versus never-packed). Email messages sent by the virus may also be detected as W32/Bagle!eml.gen by email scanning products.

This variant started to pickup steam just after 8:00am PDT, peaked within a couple of hours, and is on the decline.

Named detection has been released in the latest DAT update.