A new variant of the Bagle worm is gaining traction in the wild this afternoon, with more than 11,000 interceptions identified within the first few hours of its spread, according to Reston, Va.-based iDefense. Antivirus vendors are working to update signatures, but blocking .zip files eliminates the threat.
"To stop this worm block all .zip files and be wary of e-mails with the subject, message or attachment related to 'foto' or 'foto.zip,'" said Ken Dunham, director of malicious code at iDefense. " If the user opens the seemingly harmless HTML file the worm attempts to install itself on the local computer."
According to iDefense, Bagle-AQ uses a .zip attachment containing an HTML file that attempts to exploit Internet Explorer systems vulnerable to the object-data flaw. It attempts to install a copy of itself in the Windows System directory, mass mails copies of itself, and modifies the Windows registry to start up on reboot. It also attempts to download code from 131 different URLs, of which none contained code at the time of this writing.
E-mails look like this:
Message body: foto
Attachment: fotos.zip, which contains foto.html and foto.exe.
TruSecure, an MSSP in Reston, Va., recommends other steps to mitigate future outbreaks of Bagle and other malicious code. "Disable HTML in mail either by filtering at mail perimeter or at the mail client." The vendor is a proponent of blocking .zip files and said that enterprises that do so greatly reduce their risk. Other methods to reduce such risk include: scanning inside of .zip files; restricting access to AOL and Web mail; using desktop antivirus scanners for all files on disk access; using security awareness training; renaming the file name extension for .zip files before transmission; and restricting sharing of whole drives and minimizing folder sharing to valid business purposes. Also, restricting outbound SMTP to designated mail servers eliminates the risk of infected internal hosts using SMTP outbound to further spread the infection