Bagle latches on to antispam ploy

Three new Bagle variants discovered over the weekend differ from previous incarnations by using an antispam trick to try to avoid detection by antivirus software--but experts believe the attempt won't succeed.

The Bagle worm installs a back door on infected systems and could allow a machine to be used as an e-mail gateway for sending spam. Since the beginning of March, Bagle has arrived under the guise of an encrypted Zip file with a password included in the e-mail text. Within days, antivirus companies updated their products to look for the password and decrypt the Zip file.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

But now the Bagle author has released three new versions (N, O and P) of the worm that produce the password in the form of a graphic or picture file, so a simple text scan of the infected e-mail will not find the password. This trick is commonly used by Web sites to hide e-mail addresses from Web bots that trawl the Internet looking for potential spam targets.

Graham Cluley, senior technology consultant at antivirus company Sophos, said it is ironic that the Bagle author is using an antispam trick against the "good guys," but that it won't present a big problem for antivirus companies.

"He put the password into a graphic instead of plain text because he assumed that antivirus companies would be extracting the password in order to scan inside," Cluley said. "People have disguised their e-mail addresses on Web sites to try and avoid being picked up by spammers, and he has used that trick against the good guys."

Cluley said Sophos updated its systems over the weekend to include detection for the new variant. "We can pick up the password, even if it has been put inside a graphic," he said.

Kevin Hogan, senior manager at Symantec Security Response, said that his company's Norton Antivirus software also will be able to detect the new variants. "This is not going to impact our detection. We don't rely on (text passwords) to detect the worm in its encrypted Zip form. You could call it heuristics if you want, but at the end of the day, we don't need to completely unzip a file to get the information we need."

Researchers also pointed out that the most recent variants not only use Zip files, but also RAR files, which are similar to Zip files in that they are compressed archives, with a different extension.

Munir Kotadia of ZDNet UK reported from London.