Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have announced the discovery of a new version of the Bagle worm spreading via email systems.
The W32/Bagle-KL worm spreads as a Zip email attachment, encrypted with a password. The randomly generated numerical password is communicated to the recipient by embedding an image into the email.
The emails invite the user to open the Zip file using a password.
The worm spreads via email using a subject line randomly chosen from 118 different names programmed into its code. The list of names includes:
Ann, Anthonie, Constance, Emanual, Frances, Geoffraie, Harrye, Humphrie, Judith, Margerie, Michael, Nicholas, Robert, Winifred, Johen, Thomas
Attached to the email are Zip files, which are created using the chosen name. Examples include:
Edmund.zip, Nicholaus.zip, Dorithie.zip, Henry.zip, Daniel.zip, Nycholas.zip, Judeth.zip, Sybyll.zip, Winifred.zip, Bennett.zip, and John.zip.
Encrypted inside the attached Zip file is a copy of the worm.
The body of the email can contain phrases such as "I love you" or "To the beloved", with advice on the five digit password that should be used to open the Zip file:
Password is <image file>
Zip password: <image file>
Archive password is <image file>
Use password <image file> to open archive.
When run, the Bagle-KL worm attempts to disable various different security applications and download further malicious code from one of 99 different websites. Many of the websites it tries to download malicious code from are based in Poland, Russia or the Czech Republic.
"The Bagle-KL worm sends itself via email encrypted inside a Zip file in an attempt to avoid detection at the gateway. Users can only open the Zip file by typing in a password, which the worm has told them by embedding a graphic image inside the email," said Graham Cluley, senior technology consultant for Sophos. "The worm uses a randomly generated password for its email image and for the Zip file, in an attempt to evade email filters. Users would be wise to resist the temptation of opening unsolicited attachments, and ensure their anti-virus protection is kept up-to-date."
Sophos recommends that companies protect their email computers with an automatically updated consolidated solution to defend against viruses, spyware and spam, as well as apply an email policy that filters unsolicited executable code at the gateway.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.