New Bagle variants on the prowl

By Bill Brenner, Senior News Writer 21 Jun 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The prolific Bagle worm is rising once again this week, arriving in email inboxes as an encrypted .zip attachment. According to several antivirus firms, the new versions spread using randomly chosen names programmed into its code.

Finnish security firm F-Secure Corp. announced the latest variants in its blog Tuesday, saying, "One Bagle per day -- it isn't a diet, it's a way of life." The company said it usually receives new Bagle variants once or twice a week, but that in the past week it has received a new variant each day.

Russian antivirus firm Kaspersky Lab rated one of the latest variants, Bagle-FY, as a moderate risk and said it has been spreading rapidly in the past 24 hours or so. "Kaspersky Lab is receiving increasing numbers of reports … from users around the world," the firm said on its Web site.

UK-based Sophos said one variant, Bagle-KL, spreads as an encrypted .zip email attachment that even carries a password. The randomly generated numerical password is communicated to the recipient by embedding an image into the email, the firm said. It also spreads using a subject line randomly chosen from 118 different names programmed into its code. The list of names includes Ann, Anthonie, Constance, Emanual, Frances, Geoffraie, Harrye, Humphrie, Judith, Margerie, Michael, Nicholas, Robert, Winifred, Johen, and Thomas.

The .zip file titles include Edmund.zip, Nicholaus.zip, Dorithie.zip, Henry.zip, Daniel.zip, Nycholas.zip, Judeth.zip, Sybyll.zip, Winifred.zip, Bennett.zip, and John.zip. Encrypted inside the attached Zip file is a copy of the worm.

Sophos said the body of the email can contain phrases such as "I love you" or "To the beloved," with advice on the five-digit password that should be used to open the .zip file.

When run, Sophos said, Bagle-KL attempts to disable various security applications and download malware from one of 99 different Web sites. Many of those Web sites are based in Poland, Russia and the Czech Republic.

"Users would be wise to resist the temptation of opening unsolicited attachments, and ensure their antivirus protection is kept up to date," Sophos Senior Technology Consultant Graham Cluley said in a statement.

Tags: Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary