Latest Bagle Worm Attacks with Trojan Horse

By Ryan Naraine  |  Posted 2005-03-01 Print this article Print

The latest batch of Bagle mutants uses mass-mailing techniques to distribute a dangerous Trojan horse, anti-virus experts warn.

Anti-virus vendors are raising the alarm over another batch of Bagle worm mutants crawling through e-mail networks.

The latest variants have been equipped with Trojan horse downloaders and new propagation techniques that have led to wide distribution, according to a warning from Lynnfield, Mass.-based Sophos Inc.

Anti-virus research company F-Secure Inc. has so far counted two different Bagle variants attempting to distribute four downloaders via e-mail.

Mikko Hyponnen, director of anti-virus research at F-Secure, noticed the new variants also using a client/server architecture to spread further.
Normally, Bagle variants search local hard drives of infected machines to harvest e-mail addresses, but Hyponnen said the new variants connect to a Web back-end server capable of generating unique e-mail addresses.

"The virus will then send a copy of itself to these addresses and loop over," Hyponnen said. According to F-Secures virus definition, the worm has a backdoor that listens on port 80 and can be used to connect to the computer and execute arbitrary programs.

According to an alert from Sophos, the new variants also attempt to stop various security applications such as anti-virus and firewall software. "[They try] to rename files belonging to security applications (so they can no longer load), and to block access to a range of security-related websites by changing the Windows HOSTS file," the company warned.

Click here to read more about earlier Bagle worm attacks. "Any Trojan horse which turns off your anti-virus or firewall can open you up to further attack, even by very old viruses," said Graham Cluley, senior technology consultant for Sophos. "My advice is keep your anti-virus automatically updated and always be suspicious of unsolicited email attachments."

Trend Micro Inc. rates the new Bagle threat as "medium risk" and warned of a vicious worm-Trojan propagation cycle that uses mass-mailing techniques to distribute copies of the Trojan.

  • Sophos offers clean-up help for removing Trojans.
  • Symantec virus removal tools.
  • McAfees Stinger is a stand-alone utility used to detect and remove specific viruses. It is not meant to be a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system.
  • Microsoft offers a Microsoft Windows Malicious Software Removal Tool that checks Windows XP, Windows 2000, and Windows Server 2003 computers for and helps remove infections by specific, prevalent malicious software.
  • Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel