The gang of virus writers behind the virulent Bagle family of worms actually has issued a patch to its malicious code.

This past Sunday, computers infected with several different variants of the Bagle worm began downloading an updated version -- a new spam tool used by hackers to send out unwanted bulk email.

''Instead of starting from scratch with a new virus and hoping it will replicate, they simply upgrade all the machines that are currently infected with a new version of the virus,'' says Mikko Hypponen chief research officer for F-Secure Corp., a security company based in Helsinki, Finland. ''They've programmed the virus to contact the central website to see if there's an update available and if there is, they will download and run this new malicious code. This technique -- we call it second-state activation -- is a way the virus writers can add additional programs and run them on the infected machines.''

Hypponen explained in an interview with Datamation that if a computer is infected with a variant of the Bagle worm, the virus writers can push out other malicious pieces of code, which are generally used to send out spam, to those machines. The infected computers become a network of remotely controllable machines -- or botnets.

The gang of virus writers makes its money by selling access to those botnets to spammers who then use them to send out millions of pieces of unwanted bulk email.

''They are cooperating with spammers and, increasingly over the last 12 months, are operating with phishers,'' says Hypponen. ''Most of the phishing emails you're seeing are coming through botnets built with programs like the ones with the Bagles.''

The gang of Bagle authors are sophisticated enough that they're actually pushing updates to their malicious code out to the infected machines. ''Yes, they're like patches,'' says Hypponen. ''It adds new spamming functionality to the infected machines.''

Another sign of the gang's sophistication is that they've designed the system so that each download of the revised code is different from the last. That is making it harder for anti-virus companies to combat it.

''If you actually go and visit this malicious website and download the program, and then later download it again, it would be a different file,'' he notes. ''Every user would get a different copy of the program. .. I downloaded several hundred copies of the file and each one was different.''

Hypponen says the patches were coming off a website on a server in Slovakia on Sunday. That link was shut down but another website -- this one a French site hosted in the U.S. -- was up and running with the malicious malware. It too has been shut down.