Experts at SophosLabsâ„¢, Sophos's global
network of virus, spyware and spam analysis centers, have announced
the discovery of a new version of the Bagle worm spreading via
email systems.
The W32/Bagle-KL worm spreads
as a Zip email attachment, encrypted with a password. The randomly
generated numerical password is communicated to the recipient by
embedding an image into the email.
The emails invite the user to open the Zip file
using a password.
The worm spreads via email using a subject line randomly chosen
from 118 different names programmed into its code. The list of
names includes:
Ann, Anthonie,
Constance, Emanual, Frances,
Geoffraie, Harrye, Humphrie,
Judith, Margerie, Michael,
Nicholas, Robert, Winifred,
Johen, Thomas
Attached to the email are Zip files, which are created using the
chosen name. Examples include:
Edmund.zip, Nicholaus.zip,
Dorithie.zip, Henry.zip, Daniel.zip,
Nycholas.zip, Judeth.zip, Sybyll.zip,
Winifred.zip, Bennett.zip, and
John.zip.
Encrypted inside the attached Zip file is a copy of the
worm.
The body of the email can contain phrases such as "I love you"
or "To the beloved", with advice on the five digit password that
should be used to open the Zip file:
Password is <image file>
or
Zip password: <image file>
or
Archive password is <image file>
or
Use password <image file> to open
archive.
When run, the Bagle-KL worm attempts to disable various
different security applications and download further malicious code
from one of 99 different websites. Many of the websites it tries to
download malicious code from are based in Poland, Russia or the
Czech Republic.
"The Bagle-KL worm sends itself via email encrypted inside a Zip
file in an attempt to avoid detection at the gateway. Users can
only open the Zip file by typing in a password, which the worm has
told them by embedding a graphic image inside the email," said
Graham Cluley,
senior technology consultant for Sophos. "The worm uses a randomly
generated password for its email image and for the Zip file, in an
attempt to evade email filters. Users would be wise to resist the
temptation of opening unsolicited attachments, and ensure their
anti-virus protection is kept up-to-date."
Sophos recommends that companies protect their email computers
with an automatically updated consolidated
solution to defend against viruses, spyware and spam, as well
as apply an email policy that filters unsolicited executable code
at the gateway.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.