Press Releases

Browse our press release archive

20 Jun 2006

Bagle-KL email worm spreading via encrypted Zip file

118 different disguises for worm which tries to disable security software

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have announced the discovery of a new version of the Bagle worm spreading via email systems.

The W32/Bagle-KL worm spreads as a Zip email attachment, encrypted with a password. The randomly generated numerical password is communicated to the recipient by embedding an image into the email.

The emails invite the user to open the Zip file using a password

The emails invite the user to open the Zip file using a password.

The worm spreads via email using a subject line randomly chosen from 118 different names programmed into its code. The list of names includes:

Ann, Anthonie, Constance, Emanual, Frances, Geoffraie, Harrye, Humphrie, Judith, Margerie, Michael, Nicholas, Robert, Winifred, Johen, Thomas

Attached to the email are Zip files, which are created using the chosen name. Examples include:

Edmund.zip, Nicholaus.zip, Dorithie.zip, Henry.zip, Daniel.zip, Nycholas.zip, Judeth.zip, Sybyll.zip, Winifred.zip, Bennett.zip, and John.zip.

Encrypted inside the attached Zip file is a copy of the worm.

The body of the email can contain phrases such as "I love you" or "To the beloved", with advice on the five digit password that should be used to open the Zip file:

Password is <image file>
or
Zip password: <image file>
or
Archive password is <image file>
or
Use password <image file> to open archive.

When run, the Bagle-KL worm attempts to disable various different security applications and download further malicious code from one of 99 different websites. Many of the websites it tries to download malicious code from are based in Poland, Russia or the Czech Republic.

"The Bagle-KL worm sends itself via email encrypted inside a Zip file in an attempt to avoid detection at the gateway. Users can only open the Zip file by typing in a password, which the worm has told them by embedding a graphic image inside the email," said Graham Cluley, senior technology consultant for Sophos. "The worm uses a randomly generated password for its email image and for the Zip file, in an attempt to evade email filters. Users would be wise to resist the temptation of opening unsolicited attachments, and ensure their anti-virus protection is kept up-to-date."

Sophos recommends that companies protect their email computers with an automatically updated consolidated solution to defend against viruses, spyware and spam, as well as apply an email policy that filters unsolicited executable code at the gateway.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.