Following a tradition normally associated with weather, March came in like a lion for IT administrators, with 15 Bagle worm variants breezing through networks after a fairly successful spammed seeding last night. And if that wasn't enough, four variants of the Mitglieder Trojan are reported to be gaining traction as well.
"In the early stages of the outbreak iDefense identified five unique codes [of Bagle] being heavily spammed into the wild," said Ken Dunham, director of malicious code for the Reston, Va.-based network security firm. "The attack is ongoing and many of the minor variants are not detected by various security products.
"These codes do require user interaction, but user-interaction worms have proven themselves to be highly effective in the wild over the past 13 months," Dunham added.
Kaspersky Labs, based in Russia, reported 15 variants, but several of them share enough common elements to be identified in groups by antivirus vendors with updated signatures. Kaspersky identifies the variants as Worm.Win32.Bagle-BB.
Most of the e-mail samples seen so far include a .zip attachment, which when opened, includes a program file named "doc_01.exe," "prs_03.exe" or some other innocuous sounding name, said a statement from Lynnfield, Mass.-based Sophos Inc. "If the program inside the .zip file is opened, the Trojan horse tries to connect to one of a number of Web sites in order to download further malicious code. At the time of writing, none of these Web sites appeared to contain anything malicious."
"Troj/BagleDl-L [as named by Sophos] tries to stop various security applications such as antivirus and firewall software, to rename files belonging to security applications so they can no longer load and to block access to a range of security-related Web sites by changing the Windows Hosts file," said Sophos's Senior Technology Consultant Graham Cluley.
The variants attempt to delete more than a dozen registry keys and about 75 files. They also try to kill two dozen processes.
However, not all antivirus vendors see the new variants as a threat. "Trend Micro is not concerned with an increasing spread of this threat because the keyword 'price' in the message body and attachment is not a strong Social Engineering message, it gives the impression that the received mail is probably a piece of spam," according to a company spokesperson. "Many filters are likely to be set up to catch such content. Users may also delete the mail, assuming it to be spam."
PandaLabs, based in Glendale, Calif., reported that four variants of the Mitglieder Trojan appeared to be circulating even more widely than the Bagle variants. Mitglieder also terminates antivirus and security progam processes, and overwrites Windows Hosts files to prevent infected users from connecting to certain Web pages.
The company believes that both pieces of malicious code are being distributed by an organized group. "It would seem that given the similarities that we have detected in the source code, the new Bagle and Mitglieder variants are the work of the same person or of an organized group," Luis Corrons, director of PandaLabs, said in a statement. "The whole process began with the massive, manual sending of thousands of e-mails infected with Mitglieder-BO. Moreover, in order to confuse both antivirus vendors and users alike, a large number of variants have been created and circulated in a very short period of time. For this reason it is possible that new variants of both malicious codes will continue to appear."
Sophos recommends that users keep their antivirus programs up-to-date. "Any Trojan horse which turns off your antivirus or firewall can open you up to further attack, even by very old viruses," said Cluley.
Recommendations by Herndon, Va.-based security provider Cybertrust also include blocking executable attachments at the gateway.