 |
 Another variant of Bagle virus attempting to spread
September 2, 2004
Another version of the Bagle mass -mailed computer worm began spreading this month.
The virus, known as W32.Bagle.AQ (although many antivirus companies gave the virus their own aliases such as worm_bagle.AI, Bagle.AV, Download.Ject.D, W32/Bagle.dll.dr, Troj/BagleDl-A), attempts to turn off security software on a victim's PC and then tries to download the majority of its malicious programming from 125 Web sites across the globe. However, the virus has encountered problems when attempting to spread because many of the Web sites cannot be accessed.
"For the most part, it's a list of Web sites that don't work," said Allysa Myers, virus research engineer working for security software developer McAfee. Symantec also confirmed that at least half of the Web sites listed in the virus' code were not available.
The latest appearance of the Bagle virus is largely a copy of previous versions of the program. The first worm with the name "Bagle" started compromising computers in January of this year.
Increasingly, viruses are used to spread software that covertly uses computers to serve an attacker's evil purposes. Such "bot" software can be used by spammers and attackers to disrupt access to Web sites or collect personal financial information by making the infected computers "zombies" controlled by attacker's malicious executable codes.
Bagle.AI was first discovered on August 31st 2004, and the attack slipped in undetected by many corporate antiviruses, as well as many desktop security systems. The virus arrives by an e-mail with the subject "foto", and a spoofed "from" address. The attachment is an un-encrypted Zip file named "foto.zip". Opening the Zip archive and running either the HTML file or the program file (executable foto1.exe) will infect any Windows-based computer with the virus, unless the PC is protected by up-to-date antivirus software. If the Bagle virus cannot download any further instructions from the listed Web sites, it will only attempt to turn off security on the PC and copy itself to several folders, including any shared directories.
However, if it does download the additional instructions, Bagle will send itself out to any e-mail addresses found on the victim's PC, only skipping any that belong to major software companies, Linux distributors and security providers - a common move aimed to maximize time until the code is detected and eradicated by updated antiviruses.
The enhanced virus also will open a back door into the victim's computer to create an e-mail relay, which can be used by spammers to route bulk e-mail through the PC, whereas many firewalls may fail to detect the worm's presence by recognizing Explorer.exe trying to get to the web. Since this is a normal occurrence, detection by a firewall (as Bagle.AQ was detectable), may not be possible.
Online users are advised to get the latest antivirus definitions from the antivirus update websites, install a firewall capable of outgoing data blocking, and enable automatic updating of their operating systems.
|
|
