Three more Bagle variants on the loose

Latest mutations disable antivirus and security tools

Steve Ranger, vnunet.com 01 Mar 2005

Three newly discovered variants of the Bagle virus are running wild on the internet, security experts warned today.

IT security company F-Secure said that Bagle BB, BD and BE are spreading fast. The firm's senior security consultant Patrik Runald added that there is a "strong possibility" that the same person is behind all three.

Bagle BB was spammed out in email overnight to as many as 100,000 people. F-Secure has issued a 'level two' alert about Bagle BB, which is a Trojan downloader.

This variant does not send emails from infected machines, but drops files like 'winshost.exe' and 'wiwshost.exe' and attempts to disable a range of antivirus and security tools.

"Any Trojan which turns off your antivirus or firewall can open you up to further attack, even by very old viruses," said Graham Cluley, senior technology consultant at Sophos.

"My advice is keep your antivirus automatically updated and always be suspicious of unsolicited email attachments."

Bagle BB also overwrites the host file with entries to prevent access to a number of antivirus websites, and tries to download an executable named 'zo2.jpg' from dozens of different download sites.

"As usual, most of these download sites do not contain such a file now, but at a later date they will contain different spam proxies or backdoors," warned F-Secure.

The Bagle BD variant works in a similar way, while the BE variant spreads in a more traditional way by email, said Runald.

But rather than harvesting email addresses from the infected machine to spread further, this variant accesses a web server on the internet. Bagle BD also tries to install a backdoor into infected machines.

See also: