Antivirus and security companies have warned that a sneakier version of the Bagle e-mail worm is spreading quickly on the internet.
Sam Curry, vice-president of e-Trust Security Management at Computer Associates, said the newest version of Bagle could trick antivirus software and content filtering products. He rated the worm a "medium" threat.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The new version of Bagle is nearly identical to earlier versions: it contains its own SMTP e-mail engine, gleans e-mail addresses from files stored on hard drives, and sends copies of itself to those addresses using spoof sender addresses.
However, Curry said the new variant of Bagle was harder to catch. Among other things, it injects a DLL file into Windows that disguises it as Microsoft's Internet Explorer web browser. Bagle can then fool firewalls by masquerading as IE and request and download malicious files with impunity.
The new variant also alters the names of files it requests in transit to get past content blocking products that inspect web traffic. For example, it can relabel program files as innocuous JPG images, which content filtering products typically allow. Once downloaded, Bagle changes the file extensions back to EXE and runs the programs.
Curry said that simplying viewing the ZIP-format e-mail attachment containing the worm using Windows Explorer or Internet Explorer would install Bagle.
CA and other antivirus software companies have released updated virus definitions to spot the new variant.
Paul Roberts writes for IDG News Service