Last updated 16 December 2005 with information
regarding Troj/BagleDl-AO and W32/Bagle-AX
Experts at SophosLabsâ„¢, Sophos's global
network of virus, spyware and spam analysis centers, have warned
users about two new variants of the Bagle Trojan horse which have
been spammed out to internet users. Sophos is advising users to
ensure their anti-virus protection is up-to-date to protect against
attacks.
Sophos has received reports of the Troj/BagleDl-AN and
Troj/BagleDl-AO Trojan
horses being spammed out in emails as a ZIP file attachment
containing a malicious file called S3700020.EXE. Some
emails have been seen containing the message body "New Year's
Day", which correlates with the functionality of the W32/Bagle-AX worm,
discovered in the last 24 hours.
Users opening their email may be at risk from infection if not
properly protected. Once either of the Trojans have infected a
computer, they attempt to download further malicious code from the
internet.
"Whoever is behind the Bagle Trojan horses is deliberately
distributing them widely via email in an attempt to infect as many
computers as possible. It's possible they may issue further
variants in the coming hours to try and slip past anti-virus
defenses," said Graham
Cluley, senior technology consultant for Sophos. "Computer
users should learn never to open unsolicited email attachments.
With over 1900 new viruses, Trojans and spyware programs discovered
in the last month alone its essential for businesses to automate
their virus protection against the latest malware menaces, and
ensure they have a policy in place at their email gateway to
control what arrives in their users' inboxes."
The latest Bagle Trojan horses open a graphics
file when first run.
"These latest Bagle Trojans opens a graphic file viewer to act
as a decoy for the innocent user who will suspect nothing untoward
is happening. The Trojan horses' author is exploiting networks of
compromised computers - known as zombies, or botnets - to spread
malicious code," continued Cluley. "It's vital that all computer
users ensure they have appropriate defenses in place to prevent
their PC from being taken over and abused by hackers in this
way."
Trojans downloading other malware from the internet
It is becoming increasingly common for Trojan horses to include
the functionality to download further malicious code from the
internet. The Sophos
Security Threat Management Report 2005 reveals that over 40% of
all new malware is programmed to download code from the web, which
can steal information, log keystrokes, disable security software or
give remote hackers access to the infected computer. One of the
reasons why hackers use this technique is that it is relatively
trivial for them to alter the new malware which is downloaded,
rather than have to reinfect all of the infected computers.
Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam
threats and secure their desktops and servers with automatically
updated anti-virus protection.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.