Anti-virus companies warn that a new wave of Bagle and Glieder Trojans has been unleashed.
Ken Dunham, director of Malicious Code at iDefense, said this morning: "A large wave of Bagle and Glieder Trojan horse attacks commenced about 12 hours ago. As many as 15 variants of Bagle have been reported by at least one source already.
"In the early stages of the outbreak iDefense identified five unique codes being heavily spammed into the wild. The attack is ongoing and many of the minor variants are not detected by various security products. These codes do require user interaction, but user-interaction worms have proven themselves to be highly effective in the wild over the past 13 months."
Anti-virus vendors say the wave of attacks started in the US and spread to the Asia-Pacific region. The Trojans are mainly Bagle variants in e-mails using random text, file sizes and names to evade detection.
Dunham noted that so-called "wave attacks" are becoming increasingly common. In these, multiple minor variants are rapidly seeded into the wild to help the overall success of the attack.
Global security software firm NOD32 has detected several thousand messages carrying variants of the Trojan based on the Bagle worms. NOD32 has identified the initial variants as the Bagle.BA and Bagle.BB Trojan.
"The Bagle viruses, which created havoc on e-mail systems for much of last year, are clearly still causing damage," says the company. "Today`s spam runs containing various Trojan components were most likely sent out via the so called 'zombie` networks that Bagle created earlier."
Local Sophos distributor Netxactics says experts have detected many samples of a new Trojan horse being sent via e-mail.
"The Troj/BagleDl-L Trojan horse appears to have been deliberately spammed out to e-mail addresses around the world. Most of the e-mail samples seen so far include a ZIP attachment which, when opened, includes a program file named 'doc_01.exe` or 'prs_03.exe`, or some other innocuous sounding name," says Sophos.
If the program inside the ZIP file is opened, the Trojan horse tries to connect to one of a number of Web sites in order to download further malicious code. However, none of the Web sites actually appear to contain anything malicious.
Sophos adds that Troj/BagleDl-L tries to stop various security applications such as anti-virus and firewall software, to rename files belonging to security applications (so they can no longer load), and to block access to a range of security-related Web sites by changing the Windows HOSTS file.
Despite the wide distribution of this malicious program, Sophos has received few reports of active infections.
Share