Bagle turns to anti-spam trick

The latest Bagle variants are hiding their passwords in graphic files in a new ploy to avoid detection by antivirus software. Three new Bagle variants (N, O and P) discovered over the weekend differ from previous incarnations because they use an anti-spam trick to try and avoid detection by antivirus software, but experts believe that the attempt won't succeed. The Bagle worm installs a back door on infected systems and could allow the machine to be used as an email gateway for sending spam. Since the beginning of March, Bagle has arrived under the guise of an encrypted Zip file with a password included in the email text. Within days, antivirus companies updated their products to look for the password and decrypt the Zip file, but the Bagle author has now released these three new versions of the worm that produce the password in the form of a graphic or picture file, so a simple text scan of the infected email would not find the password. This trick is commonly used by Web sites when displaying email addresses to hide from Web-bots that trawl the Internet looking for potential spam targets.

Graham Cluley, senior technology consultant at Sophos, told ZDNet UK it is ironic that the Bagle author is using an anti-spam trick against the "good guys", but said it won't present a big problem for antivirus companies. "He put the password into a graphic instead of plain text because he assumed that antivirus companies would be extracting the password in order to scan inside. People have disguised their email addresses on Web sites to try and avoid being picked up by spammers and he has used that trick against the good guys," he said.

Read Full Story