Antivirus and security companies have warned that a sneakier version of the Bagle e-mail worm is spreading quickly...
on the internet.
Sam Curry, vice-president of e-Trust Security Management at Computer Associates, said the newest version of Bagle could trick antivirus software and content filtering products. He rated the worm a "medium" threat.
The new version of Bagle is nearly identical to earlier versions: it contains its own SMTP e-mail engine, gleans e-mail addresses from files stored on hard drives, and sends copies of itself to those addresses using spoof sender addresses.
However, Curry said the new variant of Bagle was harder to catch. Among other things, it injects a DLL file into Windows that disguises it as Microsoft's Internet Explorer web browser. Bagle can then fool firewalls by masquerading as IE and request and download malicious files with impunity.
The new variant also alters the names of files it requests in transit to get past content blocking products that inspect web traffic. For example, it can relabel program files as innocuous JPG images, which content filtering products typically allow. Once downloaded, Bagle changes the file extensions back to EXE and runs the programs.
Curry said that simplying viewing the ZIP-format e-mail attachment containing the worm using Windows Explorer or Internet Explorer would install Bagle.
CA and other antivirus software companies have released updated virus definitions to spot the new variant.
Paul Roberts writes for IDG News Service