New Bagle variant combines spam, Trojans

Antivirus software companies are warning their customers about the appearance of at least one new version of the Bagle worm that doesn't try to spread, but installs malicious remote monitoring software on systems it infects.

The new Bagle variant, Bagle.BB, is spreading in massive spam e-mail campaigns, but breaks with computer worm orthodoxy. Unlike earlier forms of Bagle, the new variant sends out e-mails with so-called "Trojan horse" programs attached to them, as opposed to copies of the virus file. The new attack could be the first of more to come, as malicious hackers turn to spam and stealthy Trojan programs to evade detection, according to one antivirus expert.

The new Bagle variant appeared early Tuesday in a massive spam e-mail campaign that dropped copies of the new Trojan horse programs in mailboxes worldwide, according to Andrew Lee, chief technology officer of antivirus company Eset LLC.

At one point, Eset, which is based in San Diego, received up to 3,500 Bagle e-mails an hour containing the new Trojan horse programs. The spam is being sent from huge networks of virus-infected "zombie" computers, and the volume of mail has waxed and waned throughout the day as different spam campaigns begin and end, Lee said.

The Trojan targets computers running Microsoft's Windows operating system and hides in file within a ZIP file archive. The Trojan horse program is an executable program file that uses innocuous names such as "doc_01.exe," or "prs_03.exe," according to an alert from antivirus company Sophos, which labeled the new threat Troj/BagleDl-L.

The e-mail messages try to trick users into opening the file attachment and install the Trojan program, and have subject lines such as "New Price List," Lee said.

When opened, the Trojan program is installed on the local computer and tries to connect to one of a long list of Web sites to download another malicious program, which is believed to be a spam mass mailing program, Lee said.

The Trojan programs also modify a Windows configuration file to try to block access to Web sites operated by antivirus and computer security companies, antivirus companies said.

Eset detected 15 unique Trojan horse programs associated with the new Bagle versions on Tuesday. F-Secure of Helsinki detected four new Trojans and two different variants of the Bagle worm Tuesday, according to a post on the company's Web site.

Sophos said that it knew of "very few" infections from the attack, but said that customers would be aware of the attack and should keep their antivirus software updated to detect the new variants.

However, the sheer number of new Trojan horse programs being distributed, with new variants appearing minutes apart from each other, will challenge antivirus vendors to come up with new antivirus signatures in time to stop infections, Lee said.

The switch from self-reproducing viruses to spam campaigns that drop Trojan horse programs may be a sign that online criminal groups are changing tactics to avoid detection by antivirus software and other technology, Lee said.

"I wouldn't be surprised if we see more of this," he said.