A new version of the notorious Bagle e-mail worm surfaced and began spreading fast the morning of August 9. The variant is apparently able to mimic Internet Explorer almost completely, according to several antivirus and security companies. And this one has a twist: new features said to be able to trick antivirus programs and filtering products.
That’s the call from eTrust Security Management, whose vice president Sam Curry told reporters the new Bagle goes by several names and is quite similar to the earlier Bagle variants, several of which have popped up at various times earlier this year.
Some reports indicate the ongoing worm epidemic is the product of a kind of war between rival virus-writing gangs. Meanwhile, security and antivirus companies are scrambling to release updated virus definitions or signatures to spot the new Bagle variant, called Bagle.AQ by both Swedish security firm F-Secure and McAfee in the U.S.
Computer Associates International, the parent of eTrust, said they detected the new Bagle – calling it Bagle.AG – at about 9 a.m. EDT August 9, while F-Secure thinks the worm was seeded through e-mail distribution similar to spam campaigns.
The new Bagle variant is said to inject a file known as a dynamic link library, or DLL, into Windows, letting the worm disguise itself as Internet Explorer, masquerading what it does as what the IE browser does. According to Computer Associates spokesman Sam Curry, that lets the new Bagle fool firewall programs on machines it infects, letting the worm download malicious files “with impunity.”
The new Bagle also has the capability of altering names of files it requests while traveling, Curry said, renaming .exe files as .jpg image files, for example, something filtering programs do allow – but once they’re downloaded to an infected system, the new Bagle renames and runs the .exe files.
Curry told reporters the new Bagle spreads in part by exploiting (surprise) a Windows vulnerability in the feature for opening and seeing .zip compressed file archives, letting the worm install if users just view the .zip e-mail attachment including the worm using Windows Explorer or IE.
