Beware, Bagle is Back

Several anti-virus security sites have issued warnings that a variant of
the infamous Bagle worm has shown up on the Internet, spreading via e-mails.
SophosLabs is warning that the apparent creator of Bagle is “intent on
infecting as many people as possible.”

“All computer users should avoid opening unsolicited e-mail attachments
and ensure that their anti-virus protection is up to date,” said Carole
Theriault, senior security consultant at Sophos, in a statement. “Businesses
should also consider blocking all executable code from entering their
networks via e-mail — most companies have no need to receive computer
programs via this route, and it dramatically reduces the risk of infection.”

All of the different versions of the Trojan horse attempt to turn off
anti-virus and security software, and block access to security websites, in
an attempt to allow hackers to gain access to infected computers.
Anti-virus and security firm Microworld Technologies said the new Bagle worm
is unable to propagate on its own, and the infected messages have been mass
mailed using spamming technologies.

The original Bagle worm first appeared in January 2004. An e-mail attachment, a so-called Trojan horse, attempts
to download Bagle from a list of Web sites. In the latest
variant, SophosLabs said the subject line is blank, the body message text is
“new price,” and the malicious file attached can be identified with names
such as “09_price.zip,” “price_new.zip,” and “price2.zip.”

The worm has a list of URLs that it checks regularly to see if certain
files have been placed on these Web sites. If the file has been uploaded to
any one of these Web sites, it will upload itself to the user’s machine. Then, it can either update itself or install and run other malicious
programs on the user’s machine, Microworld said.

After the original Bagle attacks via e-mail, the source code for the Bagle
worm was
released
on the Internet in July 2004, sparking a wave of Bagle clones,
which makes it one of the most persistent worms to date. The worm’s cousin,
MyDoom, became one of the most destructive
viruses
, after following a similar path among virus-writers that used
the source code.

Symantec To Acquire WholeSecurity

In related security news, Symantec today announced
that it has signed a definitive agreement to acquire WholeSecurity, a provider of behavior-based security and anti-phishing technology.
Whole Security’s technology analyzes the characteristics and actions of
viruses, worms and other malicious code to offer real-time protection
against these threats without the need for traditional security signatures, the company claims. The transaction is expected to close in
October.

“WholeSecurity provides industry-leading protection from phishing
attacks, one of the fastest growing threats to online transactions, such as
banking, e-commerce and auctions,” said Enrique Salem, a senior vice
president at Symantec Security Products and Solutions, in a statement.
“In addition, WholeSecurity’s family of solutions provides critical
behavior-based security technology that we expect to be a core component of
Symantec’s baseline consumer security and enterprise desktop solutions.”

News Around the Web