Bagle worm spreading widely as "February Price" email

February 10, 2006 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned users about a new version of the Bagle worm which has spread widely in the last few days. Sophos is advising users to ensure their anti-virus protection is up-to-date to protect against attacks.

Sophos has received many reports of the W32/Bagle-CH worm being spammed out in emails as a ZIP file attachment. When spreading via email the worm disguises itself by using the message text "February Price" and the subject line "Price".

At the time of writing, the Bagle-CH worm accounts for 10% of all viruses spotted at Sophos's global network of monitoring stations, making it the third most commonly encountered email virus.

Users opening their email may be at risk from infection and hacker attack if not properly protected. Once the worm has infected a computer, it attempts to disable anti-virus and other security software.

The worm also attempts to spread itself via file-sharing networks, posing as a number of different files, including a beta of Windows Longhorn, hardcore pornography, or a copy of Adobe Photoshop 9.

"We are seeing an increasing number of reports of this virus at email gateways around the world, but those with defenses in place should have little to fear," said Graham Cluley, senior technology consultant for Sophos. "Computer users should learn never to open unsolicited email attachments. With over 2300 new viruses, Trojans and spyware programs discovered in the last month alone its essential for businesses to automate their virus protection against the latest malware menaces, and ensure they have a policy in place at their email gateway to control what arrives in their users' inboxes."

Another recent version of the Bagle worm, W32/Bagle-CJ, can disguise itself as an email message from the Symantec online store, and attempts to spread via P2P file-sharing systems as nude pictures of actress Kate Beckinsale, or erotic content related to Paris Hilton and Britney Spears.

Sophos has been protecting businesses against the W32/Bagle-CH worm since 15:06 GMT on 7 February. W32/Bagle-CJ has been protected against since 18:40 GMT on 9 February 2006.

Companies are recommended to protect their email with a consolidated solution to thwart the virus, spyware and spam threats and secure their desktops and servers with automatically updated anti-virus protection.