Security news
Security news3 March 2004
Have "The Management" sent you the Bagle-K worm? Sophos reports on latest viral disguise
Sophos researchers have revealed that a newly discovered version of the Bagle worm (W32/Bagle-K), which is spreading in the wild, masquerades as a seemingly legitimate email from your business's IT department.
Emails sent by the worm use a variety of different phrases in their subject line, and message body, to suggest to users that a problem has been found with their email account. Users are advised to click on the attached file (which can have a number of different combinations) for further information. In a crafty twist to give the message more credibility, references are made to the company's domain name to suggest the email has come from the business's internal IT department.
As an example, here is how the worm could appear if your company's domain name was XYZCORP.COM:
An example of the kind of email which can be sent by the Bagle-K worm
"By using a variety of disguises the Bagle-K worm attempts to lure unwary staff into double-clicking on the attachment," said Graham Cluley, senior technology consultant for Sophos. "This is a real headache for IT departments who often struggle to get their users to follow instructions. In this case, following the advice of the email would be a very bad idea."
Sophos recommends companies automatically update their corporate virus protection, and filter attachments which may contain malicious code at the email gateway. Sophos PureMessage is capable of quarantining password-encrypted ZIP files at the email gateway, as well as providing comprehensive protection against viruses and spam.
