New Bagle variant disables antivirus programs

March 15, 2004 —

A new variant of the notorious Bagle viruses, Bagle.M, which aims to disable antivirus programs and even infect files, has been released and is spreading fast, using an ingenious design.

According to Justin Stanford from South Africa IS company, 4DDS (Pty) Ltd., this latest virus, which propagates through mass mailing, infecting .exe files and leaving a backdoor open for hackers, was detected by the advanced heuristics of the company's antivirus software, NOD32. Stanford says what gives this virus a strong advantage is the fact that the virus is compressed, and sent along with an encrypted password.

"Previous Bagles used a similar trick with the password, which unlocks the attached .zip or .rar file, included in plain text in the e-mail body. With Bagle.M. However, the password is displayed in the e-mail in the form of an image file varying from .jpg to .gif and .bmp format, thus complicating detection for antivirus programs not using advanced heuristics."

"Bagle.M compresses the .zip file, making it impossible for AV software to actually look inside. It also uses anti-OCR (optical character recognition) techniques to prevent computers from reading the password which is printed in the image," Stanford continues.

The virus aims to disable an enormous list of major antivirus programs, personal firewalls and other security programs, virus cleaners and system utilities used to clean or remove viruses. NOD32 is claimed to be one of the few antivirus programs not affected by this.

The virus will try to spread via mass e-mailing, and Peer-2-peer filesharing networks, posing as software cracks for popular software such as MS Office and Windows XP.

"An interesting development is that Bagle.M will actually infect .exe files, something traditionally unusual for a worm, and more in the vein of traditional viruses. The virus will harvest e-mail addresses from a variety of sources, which is then used for further propagation. A backdoor is also left open on the infected computer, rendering the machine accessible to hackers."

The new strain, called Bagle.M, appears most commonly as a very convincing e-mail coming from your Internet or e-mail service provider, warning of virus activity on your computer.

The message states that it has detected an error with your e-mail system, or that a virus was detected coming from your e-mail, and requests you to run the attached virus cleaning program or view the attached file.

"The virus uses various e-mail subject lines, but all feature a general warning that the user's computer has been infected by a virus. The virus will appear to have been sent from the user's own domain, adding support or staff at the front of the sender's e-mail address. This means if the message is sent to John@nod32.co.za, it would appear to come from staff@nod32.co.za or support@nod32.co.za," says Stanford.

A sample of the virus e-mail body will look like this:

Dear User of 4dds.co.za e-mail system,

Our antivirus software has detected a large amount of viruses outgoing from your e-mail account, you may use our free antivirus tool to clean up your computer software.

Further details can be obtained from attached file.

Kind regards,

The 4dds.co.za Team

For security reasons attached file is password protected.

According to Stanford the virus has been spreading with alarming speed internationally, and has already caused significant damage. The advanced heuristics featured by NOD32 act like artificial intelligence and detect the activities of this virus. Consequently NOD32, which also picked up 90 percent of the recent Bagle and Netsky viruses before patches were developed, protects users against this latest strain even without any update.

Computing South Africa