Experts at SophosLabs™, Sophos's global network of virus and
spam analysis centres, have detected many samples of a new Trojan
horse being sent via email.
The Troj/BagleDl-L Trojan
horse appears to have been deliberately spammed out to email
addresses around the world. Most of the email samples seen so far
include a ZIP attachment which, when opened, includes a program
file named "doc_01.exe" or "prs_03.exe", or some other innocuous
If the program inside the ZIP file is opened, the Trojan horse
tries to connect to one of a number of websites in order to
download further malicious code. At the time of writing, none of
these websites appeared to contain anything malicious.
Additionally, Troj/BagleDl-L tries to stop various security
applications such as anti-virus and firewall software, to rename
files belonging to security applications (so they can no longer
load), and to block access to a range of security-related websites
by changing the Windows HOSTS file.
Despite the wide distribution of this malicious program, Sophos
has received very few reports of active infections. Also, because
this program is a Trojan, and not a virus, it cannot spread further
of its own accord.
Nevertheless, Sophos is advising customers to check that their
anti-virus is up-to-date.
"Any Trojan horse which turns off your anti-virus or firewall
can open you up to further attack, even by very old viruses," said
senior technology consultant for Sophos. "My advice is keep your
anti-virus automatically updated and always be suspicious of
unsolicited email attachments."
Sophos also advises companies to adopt an
email gateway policy which can protect against new email
threats, even before anti-virus updates are available.
"This Trojan horse is aiming to take advantage of many people's
reflex reaction when they receive an executable file via email:
rather than not touching it with a bargepole, they often can't
resist double-clicking on it, even though they have no idea if it's
safe or not," continued Cluley. "It's time more companies woke up
to the benefits of stopping executable code from entering their
organisation via email. Users who want to install software on their
computer should be receiving it from their IT department, not from
friends at other companies or potentially dangerous spam
Sophos recommends that businesses ensure their computers are
kept automatically up-to-date with the very latest anti-virus software. Sophos anti-virus
products have been capable of detecting the Troj/BagleDl-L Trojan
horse since 05:40 GMT on 1 March 2005.