New Bagle Trojan horses distributed via spam email

Sophos Press Release

BagleDl-AN and Bagle-Dl-AO Trojan horses download further code from the internet

Last updated 16 December 2005 with information regarding Troj/BagleDl-AO and W32/Bagle-AX

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned users about two new variants of the Bagle Trojan horse which have been spammed out to internet users. Sophos is advising users to ensure their anti-virus protection is up-to-date to protect against attacks.

Sophos has received reports of the Troj/BagleDl-AN and Troj/BagleDl-AO Trojan horses being spammed out in emails as a ZIP file attachment containing a malicious file called S3700020.EXE. Some emails have been seen containing the message body "New Year's Day", which correlates with the functionality of the W32/Bagle-AX worm, discovered in the last 24 hours.

Users opening their email may be at risk from infection if not properly protected. Once either of the Trojans have infected a computer, they attempt to download further malicious code from the internet.

"Whoever is behind the Bagle Trojan horses is deliberately distributing them widely via email in an attempt to infect as many computers as possible. It's possible they may issue further variants in the coming hours to try and slip past anti-virus defenses," said Graham Cluley, senior technology consultant for Sophos. "Computer users should learn never to open unsolicited email attachments. With over 1900 new viruses, Trojans and spyware programs discovered in the last month alone its essential for businesses to automate their virus protection against the latest malware menaces, and ensure they have a policy in place at their email gateway to control what arrives in their users' inboxes."

The latest Bagle Trojan horses open a graphics file when first run

The latest Bagle Trojan horses open a graphics file when first run.

"These latest Bagle Trojans opens a graphic file viewer to act as a decoy for the innocent user who will suspect nothing untoward is happening. The Trojan horses' author is exploiting networks of compromised computers - known as zombies, or botnets - to spread malicious code," continued Cluley. "It's vital that all computer users ensure they have appropriate defenses in place to prevent their PC from being taken over and abused by hackers in this way."

Trojans downloading other malware from the internet

It is becoming increasingly common for Trojan horses to include the functionality to download further malicious code from the internet. The Sophos Security Threat Management Report 2005 reveals that over 40% of all new malware is programmed to download code from the web, which can steal information, log keystrokes, disable security software or give remote hackers access to the infected computer. One of the reasons why hackers use this technique is that it is relatively trivial for them to alter the new malware which is downloaded, rather than have to reinfect all of the infected computers.

Download "Sophos Security Threat Management Report 2005"

Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam threats and secure their desktops and servers with automatically updated anti-virus protection.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at