Security news
Security news20 June 2006
Bagle-KL email worm spreading via encrypted Zip file 118 different disguises for worm which tries to disable security software
Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have announced the discovery of a new version of the Bagle worm spreading via email systems.
The W32/Bagle-KL worm spreads as a Zip email attachment, encrypted with a password. The randomly generated numerical password is communicated to the recipient by embedding an image into the email.
The emails invite the user to open the Zip file using a password.
The worm spreads via email using a subject line randomly chosen from 118 different names programmed into its code. The list of names includes:
Attached to the email are Zip files, which are created using the chosen name. Examples include:
Encrypted inside the attached Zip file is a copy of the worm.
The body of the email can contain phrases such as "I love you" or "To the beloved", with advice on the five digit password that should be used to open the Zip file:
or
Zip password: <image file>
or
Archive password is <image file>
or
Use password <image file> to open archive.
When run, the Bagle-KL worm attempts to disable various different security applications and download further malicious code from one of 99 different websites. Many of the websites it tries to download malicious code from are based in Poland, Russia or the Czech Republic.
"The Bagle-KL worm sends itself via email encrypted inside a Zip file in an attempt to avoid detection at the gateway. Users can only open the Zip file by typing in a password, which the worm has told them by embedding a graphic image inside the email," said Graham Cluley, senior technology consultant for Sophos. "The worm uses a randomly generated password for its email image and for the Zip file, in an attempt to evade email filters. Users would be wise to resist the temptation of opening unsolicited attachments, and ensure their anti-virus protection is kept up-to-date."
Sophos recommends that companies protect their email computers with an automatically updated consolidated solution to defend against viruses, spyware and spam, as well as apply an email policy that filters unsolicited executable code at the gateway.
Readers Choice Awards 2009Information Security Magazine
- Please vote for Sophos and Utimaco!
- Subscribe to the Information Security
newsletter to vote.
About Sophos
Sophos enables enterprises all over the world to secure and control their IT infrastructure. Sophos's network access control, endpoint, web and email solutions simplify security to provide integrated defenses against malware, spyware, intrusions, unwanted applications, spam, policy abuse, data leakage and compliance drift. With over 20 years of experience, Sophos protects over 100 million users in nearly 150 countries with its reliably engineered security solutions and services. Recognized for its high level of customer satisfaction and powerful yet easy-to-use solutions, Sophos has received many industry awards, as well as positive reviews and certifications.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com
