New Bagle worm uses old tricks to spread, says Sophos

July 16, 2004 Sophos Press Release

W32/Bagle-AF can send itself in the form of an encrupted Zip file
W32/Bagle-AF can send itself in the form of an encrypted Zip file.

Email-aware worm spreads as an EXE, CPL, SCR or ZIP file

Virus researchers at Sophos are warning users to beware of the latest Bagle worm, Bagle-AF, which is spreading steadily by email.

Although the worm uses a multitude of randomly generated subject lines, message texts and attachments to confuse recipients, it relies on the age old trick of duping users into double-clicking on the attachment in order to spread. If run, the worm attempts to disable anti-virus and other security products and opens up a backdoor in the PC, enabling hackers to send out spam emails from the compromised machine.

"Bagle-AF is hard to spot with the naked eye, but is very easy to stop - either with up-to-date anti-virus software or by simply not clicking on unsolicited email attachments," said Graham Cluley, senior technology consultant, Sophos. "It's crucial to keep virus protection regularly updated in order to keep systems virus free and to ensure your PC doesn't become a spam factory without your knowledge."

Much like previous Bagle worms, this latest version also causes the infected computer to automatically send messages to a number of German websites, suggesting the worm originated in Germany. Since May 2004, when German authorities arrested Sven Jaschan, the self-confessed author of the Sasser and Netsky worms, there has been very little virus activity in this country.

"Earlier this year, we were seeing a Bagle worm every few days, as its author fought a war of the worms with rival virus writer, Sven Jaschan - the teenager responsible for Netsky. However, since Jaschan's arrest, the German virus writing community has pretty much gone to ground, with only a few low impact viruses emerging," continued Cluley. "Bagle-AF's bold appearance may signal that German virus writers have not been put off - with luck their new found confidence will be their downfall."