Anti-virus experts at Sophos have advised customers that the
latest variants of the Bagle worm (W32/Bagle-N and W32/Bagle-O) are using a
sneaky trick in an attempt to waltz past anti-virus protection at
the email gateway.
The worms can arrive in an email in the form of an attached
password-protected archive file (Zip or RAR). Earlier versions of
the Bagle worm sent themselves as password-protected Zips, but
contained the password in the text of the email so the user could
open the attached file. Because some anti-virus products were
'plucking' the password from the text of the email and using it to
decrypt the attached file, the worms' author is now embedding the
password as a graphic embedded inside the message instead.
A typical email created by the Bagle
worm
"The worm's author is sneakily trying to make it more difficult
for anti-virus products to scan inside the password-protected Zip
or RAR," said Graham Cluley, senior technology consultant for
Sophos. "However, Sophos's email gateway products can still
intercept and protect against these worms before they reach users'
desktops."
Curiously, the author of the worms has hidden an ASCII text
representation of a butterfly inside the viral code, alongside the
words:
The White Rabbit Presents
The first and the single
Anti-NetSky AntiVirus
Hidden inside the Bagle-N and Bagle-O worm is a
picture of a butterfly
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.