Experts at SophosLabsâ„¢, Sophos's global network of virus and
spam analysis centres, have detected many samples of a new Trojan
horse being sent via email.
The Troj/BagleDl-L Trojan
horse appears to have been deliberately spammed out to email
addresses around the world. Most of the email samples seen so far
include a ZIP attachment which, when opened, includes a program
file named "doc_01.exe" or "prs_03.exe", or some other innocuous
sounding name.
If the program inside the ZIP file is opened, the Trojan horse
tries to connect to one of a number of websites in order to
download further malicious code. At the time of writing, none of
these websites appeared to contain anything malicious.
Additionally, Troj/BagleDl-L tries to stop various security
applications such as anti-virus and firewall software, to rename
files belonging to security applications (so they can no longer
load), and to block access to a range of security-related websites
by changing the Windows HOSTS file.
Despite the wide distribution of this malicious program, Sophos
has received very few reports of active infections. Also, because
this program is a Trojan, and not a virus, it cannot spread further
of its own accord.
Nevertheless, Sophos is advising customers to check that their
anti-virus is up-to-date.
"Any Trojan horse which turns off your anti-virus or firewall
can open you up to further attack, even by very old viruses," said
Graham Cluley,
senior technology consultant for Sophos. "My advice is keep your
anti-virus automatically updated and always be suspicious of
unsolicited email attachments."
Sophos also advises companies to adopt an
email gateway policy which can protect against new email
threats, even before anti-virus updates are available.
"This Trojan horse is aiming to take advantage of many people's
reflex reaction when they receive an executable file via email:
rather than not touching it with a bargepole, they often can't
resist double-clicking on it, even though they have no idea if it's
safe or not," continued Cluley. "It's time more companies woke up
to the benefits of stopping executable code from entering their
organisation via email. Users who want to install software on their
computer should be receiving it from their IT department, not from
friends at other companies or potentially dangerous spam
mailings."
Sophos recommends that businesses ensure their computers are
kept automatically up-to-date with the very latest anti-virus software. Sophos anti-virus
products have been capable of detecting the Troj/BagleDl-L Trojan
horse since 05:40 GMT on 1 March 2005.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.