New Bagle Trojan horse widely distributed, warns Sophos

March 01, 2005 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus and spam analysis centres, have detected many samples of a new Trojan horse being sent via email.

The Troj/BagleDl-L Trojan horse appears to have been deliberately spammed out to email addresses around the world. Most of the email samples seen so far include a ZIP attachment which, when opened, includes a program file named "doc_01.exe" or "prs_03.exe", or some other innocuous sounding name.

If the program inside the ZIP file is opened, the Trojan horse tries to connect to one of a number of websites in order to download further malicious code. At the time of writing, none of these websites appeared to contain anything malicious.

Additionally, Troj/BagleDl-L tries to stop various security applications such as anti-virus and firewall software, to rename files belonging to security applications (so they can no longer load), and to block access to a range of security-related websites by changing the Windows HOSTS file.

Despite the wide distribution of this malicious program, Sophos has received very few reports of active infections. Also, because this program is a Trojan, and not a virus, it cannot spread further of its own accord.

Nevertheless, Sophos is advising customers to check that their anti-virus is up-to-date.

"Any Trojan horse which turns off your anti-virus or firewall can open you up to further attack, even by very old viruses," said Graham Cluley, senior technology consultant for Sophos. "My advice is keep your anti-virus automatically updated and always be suspicious of unsolicited email attachments."

Sophos also advises companies to adopt an email gateway policy which can protect against new email threats, even before anti-virus updates are available.

"This Trojan horse is aiming to take advantage of many people's reflex reaction when they receive an executable file via email: rather than not touching it with a bargepole, they often can't resist double-clicking on it, even though they have no idea if it's safe or not," continued Cluley. "It's time more companies woke up to the benefits of stopping executable code from entering their organisation via email. Users who want to install software on their computer should be receiving it from their IT department, not from friends at other companies or potentially dangerous spam mailings."

Sophos recommends that businesses ensure their computers are kept automatically up-to-date with the very latest anti-virus software. Sophos anti-virus products have been capable of detecting the Troj/BagleDl-L Trojan horse since 05:40 GMT on 1 March 2005.