Last updated 16 December 2005 with information
regarding Troj/BagleDl-AO and W32/Bagle-AX
Experts at SophosLabs™, Sophos's global
network of virus, spyware and spam analysis centers, have warned
users about two new variants of the Bagle Trojan horse which have
been spammed out to internet users. Sophos is advising users to
ensure their anti-virus protection is up-to-date to protect against
attacks.
Sophos has received reports of the Troj/BagleDl-AN and
Troj/BagleDl-AO Trojan
horses being spammed out in emails as a ZIP file attachment
containing a malicious file called S3700020.EXE. Some
emails have been seen containing the message body "New Year's
Day", which correlates with the functionality of the W32/Bagle-AX worm,
discovered in the last 24 hours.
Users opening their email may be at risk from infection if not
properly protected. Once either of the Trojans have infected a
computer, they attempt to download further malicious code from the
internet.
"Whoever is behind the Bagle Trojan horses is deliberately
distributing them widely via email in an attempt to infect as many
computers as possible. It's possible they may issue further
variants in the coming hours to try and slip past anti-virus
defenses," said Graham
Cluley, senior technology consultant for Sophos. "Computer
users should learn never to open unsolicited email attachments.
With over 1900 new viruses, Trojans and spyware programs discovered
in the last month alone its essential for businesses to automate
their virus protection against the latest malware menaces, and
ensure they have a policy in place at their email gateway to
control what arrives in their users' inboxes."
The latest Bagle Trojan horses open a graphics
file when first run.
"These latest Bagle Trojans opens a graphic file viewer to act
as a decoy for the innocent user who will suspect nothing untoward
is happening. The Trojan horses' author is exploiting networks of
compromised computers - known as zombies, or botnets - to spread
malicious code," continued Cluley. "It's vital that all computer
users ensure they have appropriate defenses in place to prevent
their PC from being taken over and abused by hackers in this
way."
Trojans downloading other malware from the internet
It is becoming increasingly common for Trojan horses to include
the functionality to download further malicious code from the
internet. The Sophos
Security Threat Management Report 2005 reveals that over 40% of
all new malware is programmed to download code from the web, which
can steal information, log keystrokes, disable security software or
give remote hackers access to the infected computer. One of the
reasons why hackers use this technique is that it is relatively
trivial for them to alter the new malware which is downloaded,
rather than have to reinfect all of the infected computers.
Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam
threats and secure their desktops and servers with automatically
updated anti-virus protection.