A new version of the Bagle worm that poses as Internet Explorer in order to bypass firewalls and anti-virus software is spreading quickly.
The new worm goes by a number of different names and is very similar to earlier versions of the worm, but also has new features that allow it to trick anti-virus software and content filtering products, said Sam Curry, vice president of e-Trust Security Management at Computer Associates (CA).
McAfee and CA have both rated the new version a "medium" threat, citing increasing number of samples submitted by customers.
CA first detected the new Bagle, which it has dubbed Bagle.AG, yesterday afternoon. It may have been "seeded" through a spam campaign, said antivirus company F-Secure. F-Secure, like McAfee, calls the new worm Bagle.AQ.
The new version of Bagle is nearly identical to earlier versions. It contains its own SMTP e-mail engine, gleans e-mail addresses from files stored on the hard drive of computers it infects and sends copies of itself out to those addresses using spoofed sender addresses. However, the new variant also has some new features that make it harder to catch, Curry said.
Among other things, the new worm injects a DLL file, into Windows that allows the worm to disguise itself as the Internet Explorer browser. That allows Bagle to masquerade its actions as those of IE, fooling firewall software that may be running on machines it infects and that would block communications to other systems on the Internet from unauthorised applications. As a result, the new Bagle version is able to request and download malicious files with impunity, he said.
For companies that may use content blocking products that inspect Web traffic, the new Bagle variant also has a feature that alters the names of files it requests in transit. For example, it can rename .exe program files as innocuous files such as .jpg images, which content filtering products typically allow. Once downloaded to the infected system, however, the new Bagle version renames and runs the .exe files, he said.
CA is still analysing Bagle, but Curry believes that the new worm version is spreading, in part, by exploiting a vulnerability in a Windows feature for viewing and opening .zip compressed file archives. That vulnerability allows the worm to be installed if users simply view the .zip-format e-mail attachment containing the worm file using the Windows Explorer or Internet Explorer browser.
Anti-virus companies have released updated virus definitions to pick up the worm.