Bagle turns to anti-spam trick

The latest Bagle variants are hiding their passwords in graphic files in a new ploy to avoid detection by antivirus software

Three new Bagle variants (N, O and P) discovered over the weekend differ from previous incarnations because they use an anti-spam trick to try and avoid detection by antivirus software, but experts believe that the attempt won't succeed.

The Bagle worm installs a back door on infected systems and could allow the machine to be used as an email gateway for sending spam. Since the beginning of March, Bagle has arrived under the guise of an encrypted Zip file with a password included in the email text. Within days, antivirus companies updated their products to look for the password and decrypt the Zip file, but the Bagle author has now released these three new versions of the worm that produce the password in the form of a graphic or picture file, so a simple text scan of the infected email would not find the password. This trick is commonly used by Web sites when displaying email addresses to hide from Web-bots that trawl the Internet looking for potential spam targets.

Graham Cluley, senior technology consultant at Sophos, told ZDNet UK it is ironic that the Bagle author is using an anti-spam trick against the "good guys", but said it won't present a big problem for antivirus companies. "He put the password into a graphic instead of plain text because he assumed that antivirus companies would be extracting the password in order to scan inside. People have disguised their email addresses on Web sites to try and avoid being picked up by spammers and he has used that trick against the good guys," he said.

Cluley said Sophos had updated its systems over the weekend to include detection for the new variant: "We can pick up the password even if it has been put inside a graphic," he said.

Kevin Hogan, senior manager at Symantec Security Response, told ZDNet UK that Norton Antivirus will also be able to detect the new variants: "This is not going to impact our detection -- we don't rely on [text passwords] to detect the worm in its encrypted Zip form. You could call it heuristics if you want, but at the end of the day we don't need to completely unzip a file to get the information we need," he said.

Researchers also pointed out that the most recent variants not only use Zip files, but also RAR files, which are similar to Zip files in that they are compressed archives, with a different extension.