RealTime IT News

Beware, Bagle is Back

Several anti-virus security sites have issued warnings that a variant of the infamous Bagle worm has shown up on the Internet, spreading via e-mails. SophosLabs is warning that the apparent creator of Bagle is "intent on infecting as many people as possible."

"All computer users should avoid opening unsolicited e-mail attachments and ensure that their anti-virus protection is up to date," said Carole Theriault, senior security consultant at Sophos, in a statement. "Businesses should also consider blocking all executable code from entering their networks via e-mail -- most companies have no need to receive computer programs via this route, and it dramatically reduces the risk of infection."

All of the different versions of the Trojan horse attempt to turn off anti-virus and security software, and block access to security websites, in an attempt to allow hackers to gain access to infected computers. Anti-virus and security firm Microworld Technologies said the new Bagle worm is unable to propagate on its own, and the infected messages have been mass mailed using spamming technologies.

The original Bagle worm first appeared in January 2004. An e-mail attachment, a so-called Trojan horse, attempts to download Bagle from a list of Web sites. In the latest variant, SophosLabs said the subject line is blank, the body message text is "new price," and the malicious file attached can be identified with names such as "09_price.zip," "price_new.zip," and "price2.zip."

The worm has a list of URLs that it checks regularly to see if certain files have been placed on these Web sites. If the file has been uploaded to any one of these Web sites, it will upload itself to the user's machine. Then, it can either update itself or install and run other malicious programs on the user's machine, Microworld said.

After the original Bagle attacks via e-mail, the source code for the Bagle worm was released on the Internet in July 2004, sparking a wave of Bagle clones, which makes it one of the most persistent worms to date. The worm's cousin, MyDoom, became one of the most destructive viruses, after following a similar path among virus-writers that used the source code.

Symantec To Acquire WholeSecurity

In related security news, Symantec today announced that it has signed a definitive agreement to acquire WholeSecurity, a provider of behavior-based security and anti-phishing technology. Whole Security's technology analyzes the characteristics and actions of viruses, worms and other malicious code to offer real-time protection against these threats without the need for traditional security signatures, the company claims. The transaction is expected to close in October.

"WholeSecurity provides industry-leading protection from phishing attacks, one of the fastest growing threats to online transactions, such as banking, e-commerce and auctions," said Enrique Salem, a senior vice president at Symantec Security Products and Solutions, in a statement. "In addition, WholeSecurity's family of solutions provides critical behavior-based security technology that we expect to be a core component of Symantec's baseline consumer security and enterprise desktop solutions."