New Bagle variants combine spam, Trojans

IDG News Service - Antivirus software companies are warning their customers about the appearance of at least one new version of the Bagle worm that doesn't try to spread but instead installs malicious remote monitoring software on systems it infects.
The new Bagle variant, Bagle.BB, is spreading in massive spam e-mail campaigns, but it breaks with computer worm orthodoxy. Unlike earlier forms of Bagle, the new variant sends out e-mails with Trojan horse programs attached to them, as opposed to copies of the virus file. The new attack could be the first of more to come, as malicious hackers turn to spam and stealthy Trojan programs to evade detection, according to one antivirus expert.
The new Bagle variant appeared early today in a massive spam e-mail campaign that dropped copies of the new Trojan horse programs in mailboxes worldwide, according to Andrew Lee, chief technology officer at Eset LLC, a San Diego-based antivirus company.
At one point, Eset received up to 3,500 Bagle e-mails an hour containing the new Trojan horse programs. The spam is being sent from huge networks of virus-infected zombie computers, and the volume of mail has waxed and waned throughout the day as different spam campaigns begin and end, Lee said.
The Trojan targets computers running Microsoft Corp.'s Windows operating system and hides in file within a Zip file archive. The Trojan horse program is an executable program file that uses innocuous names such as "doc_01.exe," or "prs_03.exe," according to an alert from antivirus company Sophos PLC, which labeled the new threat Troj/BagleDl-L.
The e-mail messages, which try to trick users into opening the file attachment and install the Trojan program, have subject lines such as "New Price List," Lee said.
When opened, the Trojan program is installed on the local computer and tries to connect to one of a long list of Web sites to download another malicious program, which is believed to be a spam mass-mailing program, Lee said.
The Trojan programs also modify a Windows configuration file to try to block access to Web sites operated by antivirus and computer security companies, antivirus companies said.
Eset detected 15 unique Trojan horse programs associated with the new Bagle versions today.
F-Secure Corp. detected four new Trojans and two different variants of the Bagle worm today, according to a posting on the Helsinki, Finland-based security vendor's Web site.
Sophos said that it knew of "very few" infections so far but said customers should be aware of the attack and keep their antivirus software updated.
However, the sheer number ofnew Trojan horse programs being distributed, with new variants appearing minutes apart from one another, will challenge antivirus vendors to come up with new antivirus signatures in time to stop infections, Lee said.
The switch from self-reproducing viruses to spam campaigns that drop Trojan horse programs may be a sign that online criminal groups are changing tactics to avoid detection by antivirus software and other technology, Lee said. "I wouldn't be surprised if we see more of this," he said.