Anti-virus software companies have warned about a new version of the Bagle worm that doesn't try to spread, but installs malicious remote monitoring software on systems it infects.
The new Bagle variant, Bagle.BB, is spreading in massive spam e-mail campaigns, but breaks with computer worm orthodoxy. Unlike earlier forms of Bagle, the new variant sends out e-mails with so-called "Trojan horse" programs attached to them, as opposed to copies of the virus file. The new attack could be the first of more to come, as malicious hackers turn to spam and stealthy Trojan programs to evade detection, according to one anti-virus expert.
The new Bagle variant appeared early Tuesday in a massive spam e-mail campaign that dropped copies of the new Trojan horse programs in mailboxes worldwide, according to Andrew Lee, chief technology officer of anti-virus company Eset.
At one point, Eset received up to 3,500 Bagle e-mails an hour containing the new Trojan horse programs. The spam is being sent from huge networks of virus-infected "zombie" computers, and the volume of mail has waxed and waned throughout the day as different spam campaigns begin and end, Lee said.
The Trojan targets computers running Windows and hides in file within a ZIP file archive. The Trojan horse program is an executable program file that uses innocuous names such as "doc_01.exe," or "prs_03.exe," according to an alert from anti-virus company Sophoss, which labelled the new threat Troj/BagleDl-L.
The e-mail messages try to trick users into opening the file attachment and install the Trojan program, and have subject lines such as "New Price List," Lee said.
When opened, the Trojan program is installed on the local computer and tries to connect to one of a long list of websites to download another malicious program, which is believed to be a spam mass mailing program, Lee said.
The Trojan programs also modify a Windows configuration file to try to block access to Web sites operated by anti-virus and computer security companies.
Eset detected 15 unique Trojan horse programs associated with the new Bagle versions on Tuesday, while, on the same day, F Secure detected four new Trojans and two different variants of the Bagle worm.
Sophos said that it knew of "very few" infections from the attack, but said that customers would be aware of the attack and should keep their antivirus software updated to detect the new variants.
However, the sheer number of new Trojan horse programs being distributed, with new variants appearing minutes apart from each other, will challenge antivirus vendors to come up with new antivirus signatures in time to stop infections, Lee said.
The switch from self-reproducing viruses to spam campaigns that drop Trojan horse programs may be a sign that online criminal groups are changing tactics to avoid detection by antivirus software and other technology, Lee said.
"I wouldn't be surprised if we see more of this," he said.