In this section

• Home
• Press office
• News archive
• Articles
• 2004
• 03

• Journalists' guide
• News archive

Talk to our experts

• Press contacts

Resources

• Sophos Podcasts
• Image gallery
• Customer case studies
• Free anti-virus
• White papers
• Awards and reviews
• Industry affiliations

Sophos blogs

• SophosLabs blog
• Graham Cluley's blog
• Paul Ducklin's blog
• Chet's blog

Info feeds

• Security news
• Company news
• More...

What are info feeds?

1 March 2004

The world wakes up to a barrage of Bagles, Sophos reports on new worm variants

The number of Bagles has increased

Virus researchers at Sophos have warned users to be be on the lookout for five new variants of the Bagle worm which were seen spreading in the wild over the weekend. Sophos is advising users to ensure their anti-virus protection is up-to-date to protect against attacks via email.

Sophos has received many reports of the W32/Bagle-C, W32/Bagle-D, W32/Bagle-E, W32/Bagle-F and W32/Bagle-G worms, and users opening their email on Monday morning may be at risk from infection if not properly protected. The Bagle-C variant is considered particularly prevalent.

"The Bagle worms use a number of disguises to camouflage their intentions when they arrive in your email inbox," said Graham Cluley, senior technology consultant for Sophos. "But the advice remains the same for each: never open an unsolicited email attachment. With up to 800 new viruses being discovered every month its important for businesses to automate their virus protection against the latest malware menaces."

Sophos researchers have noted that W32/Bagle-F and W32/Bagle-G contain a cunning trick to try and avoid detection by email gateway anti-virus software and ISP virus scanning services. The worms can arrive as a password-protected ZIP file, meaning the virus scanning service can not detect the virus contained inside. However, the password is contained in the body of the infected email meaning the user can manually decrypt the ZIP file if he or she wishes.

"Some ISPs, web email accounts and anti-virus gateway products may be as useless as a chocolate teapot at detecting the worm inside the encrypted ZIP file," said Cluley. "However, Sophos PureMessage can quarantine encrypted ZIP files at the gateway. Sophos further advises companies to adopt a multi-layered approach to virus protection, and ensure anti-virus software on your desktops is updated to prevent users from running the viral code."

Sophos has issued an update allowing its email gateway products to protect against the Bagle worm inside password encrypted ZIP files.

Sophos research has revealed that in the month of February an earlier variant of the Bagle worm was the fourth most commonly sighted virus.

"It wouldn't be a surprise to see the author of Bagle achieving another high position in the virus charts in March," continued Cluley.

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot

See also:

• Further information about the Bagle and Netsky worms
• Sign up now for free notification of new viruses found in the wild
• Bagle-A worm spreads over internet disguised as Windows Calculator
• Bagle-B worm spreading warns Sophos
• Add live virus information to your website or intranet