Bagle variants served up with spam
Trojan version goes into 'stealth mode'
Spamming tactics are being used to distribute multiple versions of a new Trojan. The malware is similar to the Bagle email worm except for the absence of email spreading functionality.
Most of the samples seen so far include a ZIP attachment which, when opened, includes a program file named "doc_01.exe" or "prs_03.exe", or some other innocuous sounding name. If the malware inside this ZIP file is opened, the Trojan may attempt to download more malicious code from a pre-programmed list of websites. Typically, Bagle Trojan variants also attempt to disable anti-virus and personal firewall software. Anti-virus firm Sophos reports the detection of four distinct variants of the Bagle Trojan.
The spamming tactics are a repeat of a ploy used in spreading a batch of Bagle variants in September 2004. This time around the bulk mailing is more aggressive.
More than 75,000 emails containing variants of the Bagle were blocked by email security company BlackSpider Technologies on Tuesday (1 March). Anti-virus firms are working on releasing updated signature files to detect the malware. Meanwhile, analysis work continues. Sophos advises firms to block executable files in email at corporate gateways. ®