Online security experts are increasing the threat level on a fast-spreading e-mail virus capable of allowing an attacker to upload and execute malicious code on infected computers.

The mass-mailing W32/BAGLE-A worm, also known as Bagle or Beagle, includes a backdoor component which listens on TCP port 6777 and lets an attacker execute arbitrary programs on infected systems, anti-virus experts warned on Tuesday.

MessageLabs described the Bagle virus as "high risk" while Network Associates has assigned a "medium risk" assessment.

The virus, first quarantined in Germany, has been spotted in 138 countries with the highest distributions in Europe and Asia. Because of the long holiday weekend, distribution in the U.S. has been low.

The Bagle virus arrives as a .EXE attachment with a random name and with the word "hi" in the subject line. If an unsuspecting user executes the attachment, the worm copies itself to the Windows system folder with instructions to run at logon.

Upon execution, the Bagle virus uses its own SMTP engine to send itself to addresses harvested from files on the hard disk and spoofs the "From" field in e-mails it sends.

According to a Network Associates alert, the worm contains a potentially dangerous remote access component which listens on TCP port 6777 for remote connections. "It tries to notify the virus author of its readiness to accept commands by contacting various websites and calling a script located on the remote site," the company warned.

The company warned that home users are at higher risk of infection.

Network Associates and Sophos have posted disinfection instructions, available here and here.

According to Sophos senior security analyst Chris Belthoff, home users were at a higher risk of infection because most enterprises are blocking .EXE attachments at the gateway. But, as with the destructive SoBig virus, workers at home offices who connect remotely to an enterprise network represent a danger.

"This virus can sneak into an enterprise environment through the home workers because it grabs all e-mail addresses to mail itself to. In many cases, it's a work-related address book that puts the attachment inside the network," Belthoff told

He believes the virus is the work of a sophisticated spam network looking to take over computers and use them as spam zombies. "Eventually, mail server capabilities could be downloaded to infected machines. Once that backdoor is active, any type of code can be loaded on an infected machine."