Security news15 March 2004
Bagle worm uses graphic passwords in attempt to avoid detection, Sophos reports
Anti-virus experts at Sophos have advised customers that the latest variants of the Bagle worm (W32/Bagle-N and W32/Bagle-O) are using a sneaky trick in an attempt to waltz past anti-virus protection at the email gateway.
The worms can arrive in an email in the form of an attached password-protected archive file (Zip or RAR). Earlier versions of the Bagle worm sent themselves as password-protected Zips, but contained the password in the text of the email so the user could open the attached file. Because some anti-virus products were 'plucking' the password from the text of the email and using it to decrypt the attached file, the worms' author is now embedding the password as a graphic embedded inside the message instead.
A typical email created by the Bagle worm
"The worm's author is sneakily trying to make it more difficult for anti-virus products to scan inside the password-protected Zip or RAR," said Graham Cluley, senior technology consultant for Sophos. "However, Sophos's email gateway products can still intercept and protect against these worms before they reach users' desktops."
Curiously, the author of the worms has hidden an ASCII text representation of a butterfly inside the viral code, alongside the words:
The White Rabbit Presents
The first and the single
Anti-NetSky AntiVirus
Hidden inside the Bagle-N and Bagle-O worm is a picture of a butterfly
