New variants of the Bagle Internet worm are spreading fast, targeting anti-virus (AV) software and other files on victim PCs. Bagle variants M, N and O have been reported in the past three days.
Brett Myroff, CEO of local Sophos distributor Netxactics, says the new variants are getting cleverer. "We are terming this strain of Bagle viruses 'parasitic viruses` in that they don`t drop a file into a PC like the worms we`ve seen to date, but rather infect existing files on the system, which makes them more damaging. In my opinion, the viruses are becoming more prevalent and dangerous.
"One interesting point is that the new variants are trying to avoid detection by avoiding e-mails to anti-virus vendor addresses. They are obviously trying to limit the speed with which anti-virus vendors get their hands on samples," says Myroff.
Ryan Price, CEO of local F-Secure distributor Y3K Group, says the new variants are spreading "surprisingly fast".
"Bagle.N sends itself as PIF or EXE attachment, which might be packed inside a ZIP or RAR archive. It also may be encrypted with a password, which is not listed in the e-mail, but shown as a BMP or GIF image instead. This makes it more difficult for anti-virus gateway scanners to detect the worm," says Price.
Bagle.N executable is packed with an unmodified version of UPX. Once the unpacking is performed, it follows a small de-scrambling routine, which goes through the worm`s code section. After this step the main code starts running. This variant will terminate processes from a large list of files, which includes all kinds of security software.
Justin Stanford, MD of local information security company 4DDS, warns that Bagle.M has also started spreading through mass mailing, infecting .exe files and leaving a back door open for hackers.
"Previous Bagles used a similar trick with the password, which unlocks the attached .zip or .rar file, included in plain text in the e-mail body. With Bagle.M, however, the password is displayed in the e-mail in the form of an image file varying from .jpg to .gif and .bmp format, thus complicating detection for anti-virus programs not using advanced heuristics."
Stanford says the virus aims to disable an enormous list of major anti-virus programs, personal firewalls and other security programs, virus cleaners and system utilities used to clean or remove viruses.
"An interesting development is that Bagle.M will actually infect .exe files, something traditionally unusual for a worm, and more in the vein of traditional viruses. The virus will harvest e-mail addresses from a variety of sources, which is then used for further propagation."
Bagle.O, Myroff says, is not as widespread yet. As with the others, it arrives in e-mail with a variety of subject lines, ranging from 'Re: Hello`, 'yahoo`, 'Thank you` and 'thanks` to official-sounding subjects such as 'Re: Incoming Message`, 'Re: Incoming Fax`, and 'Hidden message`.
Share
