And each new variant throws just enough new tricks into the mix to confuse users into continuously downloading the malicious code.
''Once again, it's a cat and mouse game between the virus writer and the anti-virus vendors,'' says Steve Sundermeier, a vice president with Central Command, an anti-virus company based in Medina, Ohio. ''And it's getting really hard to get infected. It's kind of amazing that it's still happening -- that people are still falling for it.''
Over the past several days, three more variants in the Bagle family have hit the wild. Varaints N, O and P basically have been messing with anti-virus vendors, forcing the vendors to continuously change their detection methods and update their software.
First, the Bagle author was sneaking the malicious code into corporate networks by disguising it inside ZIP files. Most gateway detection software was just configured to stop incoming executable files -- not ZIP files. In answer to that, anti-virus vendors got their corporate customers to start monitoring for ZIP files at the gateway, and added in password protection.
To get around that, the Bagle author sent the malicious code in a password-protected ZIP file, placing the password itself in the body message of the same email. That way, the worm bypassed the gateway filters again.
At this point, the anti-virus vendors began parsing the emails, meaning that the detection software searched the message body for the password. Once they had the password, they opened the ZIP file and virus scanned the attachment.
But not to be foiled again, Bagle-P now sends the password in a separate graphic file. Graphic files can't be parsed because there is no text.
''Now we have to block all encrypted files,'' says Sundermeier. ''If you get an encrypted ZIP file, that's unusual, so we're just blocking all of them.
But all of this trickery also means that users have to take multiple steps to actually get infected. A user needs to open the graphic file, find the password and then use it to open the ZIP file to be infected. And surprisingly enough, it's still happening.
''A user really has to try to infect themselves at this point,'' says Sundermeier, adding that it's happening all over the globe.
Ken Dunham, director of malicious code at iDefense, Inc., a security and anti-virus company, says the new variants are showing a maturation. ''We have started to see that he's maturing his code, adding encryption and sharing passwords via images,'' he says. ''But it shows no sense of brilliance. He just keeps hammering away.''