Fresh Batch of Bagles Seeding Botnets

A new offshoot of the Bagle/Mitglieder worm makes a weekend spam run, but distribution remains low.

Virus researchers are raising the alarm over a new offshoot of the Bagle worm that is attempting to hijack computers for use in botnets.

The latest attack was launched in a weekend spam run that attempted to trick Windows users into downloading an executable identified as Bagle.BQ or Mitglieder.CN.

According to an advisory from F-Secure Corp., the latest deluge closely resembles the recent three-pronged attack that used three different Trojans to take control of vulnerable computers and create botnets-for-hire.

Mitglieder.CN includes a main dropper and a DLL file that injects itself into Explorer.exe processes. Once executed, the dropper/injector creates two start-up keys and one status key for its file in Windows Registry.

To disguise itself during the first run, F-Secure said, Mitglieder will open an empty MSPaint program.

Like previous mutants, the Trojan has the ability to disable anti-virus and security software and open a back door for communication with a remote attacker.

Sam Curry, vice president of eTrust security management at Computer Associates International Inc., confirmed the new Bagles/Mitglieder sighting but said distribution remained low.

"Compared to the last attack, which was very sophisticated and coordinated, this one seemed to be a false start. It never really took off," Curry said in an interview with Ziff Davis Internet News.

He said the difference in attack methods indicated it was not the work of the group responsible for the triple-barreled attack earlier this month.

/zimages/3/28571.gifRead more here about the recent triple-Trojan attack.

"The MO here was a little different. This was not a massive spam run. The virus writers share code a lot, so this could be a copycat or someone doing a practice run. But, from what weve seen, this is a different group," Curry said.

/zimages/3/28571.gifBotnet hunters search for "command and control" servers. Click here to read more.

F-Secure, Computer Associates, Symantec Corp. and others have updated virus definitions to detect the latest variants.

Protection and Disinfection

With the rapid proliferation of new types of virus, Trojan and worm attacks, PC users are urged to be strict about following security guidelines.

This includes never opening and executing file attachments from unknown sources. Even if the source of the attachment is known, a good rule of thumb is to double-check with the sender to make sure it is a legitimate file.

Microsoft Corp. offers detailed information on how to protect against viruses. Advice includes applying security patches in a timely manner and using an Internet firewall. For computers running Windows XP SP2 (Service Pack 2), Microsoft suggests turning on automatic updates and using the Windows Firewall that is enabled by default.

It is also important to subscribe to industry standard anti-virus software and to keep updates current.

Microsoft offers free clean-up tools, including a malicious software removal tool and an anti-spyware application.

Symantec Corp. also provides a free removal tool for the Bagle virus and its variants.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.