New Bagle version spreading

Antivirus and computer security companies warned Internet users about a new version of the Bagle e-mail worm that was spreading quickly on the Internet Monday.

The new worm goes by a number of different names and is very similar to earlier versions of the worm, but also has new features that allow it to trick antivirus software and content filtering products, said Sam Curry, vice president of e-Trust Security Management at Computer Associates International Inc. (CA).

Antivirus company McAfee Inc. and CA both rated the new version of Bagle a "medium" threat, citing increasing number of samples submitted by customers.

CA first detected the new Bagle, which it dubbed Bagle.AG, around 9:00 a.m. Monday, Eastern Time in the United States. The new worm may have been "seeded" through e-mail distribution akin to unsolicited commercial ("spam") e-mail campaigns, said antivirus company F-Secure Corp. of Helsinki on Monday. F-Secure, like McAfee, labeled the new worm Bagle.AQ. (See: http://vil.nai.com/vil/content/v_127423.htm.)

Submissions from CA customers accelerated on Monday afternoon, with more than 35 enterprises and 300 consumers submitting samples of the worm to CA of Islandia, New York.

The new version of Bagle is nearly identical to earlier versions of Bagle. Like earlier Bagle versions, it contains its own Simple Mail Transfer Protocol (SMTP) e-mail engine, gleans e-mail addresses from files stored on the hard drive of computers it infects and sends copies of itself out to those addresses using forged (or "spoofed") sender addresses.

However, the new variant also has some new features that make it harder to catch, Curry said.

Among other things, the new worm injects a file known as a dynamic link library, or DLL, into Windows that allows the worm to disguise itself as the Microsoft Corp. Internet Explorer Web browser. That allows Bagle to masquerade its actions as those of IE, fooling firewall software that may be running on machines it infects and that would block communications to other systems on the Internet from unauthorized applications. As a result, the new Bagle version is able to request and download malicious files with impunity, he said.

For companies that may use content blocking products that inspect Web traffic, the new Bagle variant also has a feature that alters the names of files it requests in transit. For example, it can rename EXE program files as innocuous files such as JPG images, which content filtering products typically allow. Once downloaded to the infected system, however, the new Bagle version renames and runs the EXE files, he said.

CA is still analyzing Bagle, but Curry believes that the new worm version is spreading, in part, by exploiting a vulnerability in a Windows feature for viewing and opening ZIP compressed file archives. That vulnerability allows the worm to be installed if users simply view the ZIP-format e-mail attachment containing the worm file using the Windows Explorer or Internet Explorer browser.

CA and others have released updated virus definitions, or "signatures," that spot the new variant, Curry said. In addition, antivirus products that use heuristic technology to spot viruses may be able to spot the new variant without an updated virus signature, he said.