Watchdog-attacking Bagle ramps up

A new variant of Bagle is spreading rapidly, security companies have warned.

Rather than being a mass-mailing worm, BagleDl-L is a Trojan horse that damages security applications and attempts to connect with a number of Web sites. It has been sent via spam lists to millions of addresses in the past 12 hours, said security company McAfee, which has upgraded it to a "medium" risk.

The new variant could also have boosted overall Bagle traffic, which has increased five times in the past 24 hours, e-mail security vendor Postini said Tuesday.

The attempt to disable security protection could expose systems to a variety of threats. "Any Trojan horse which turns off your antivirus or firewall can open you up to further attack, even by very old viruses," Graham Cluley, senior technology consultant for antivirus company Sophos, said in a statement.

Unlike a mass-mailing worm, the Trojan does not self-propagate, but the security companies have highlighted it because a high number of e-mails containing it have been detected.

Although the Trojan horse doesn't spread itself, the code is similar to other variants of the Bagle worm, which is why Sophos marked it a descendent of that program, Cluley said in an interview.

According to Sophos antivirus company F-Secure, the Web sites that the new Bagle links to currently contain no malicious code. However, Trojan and worm writers have been known to add malicious code to a Web site after the initial attack has calmed down, said Craig Schmugar, a senior virus research manager for McAfee.

For this Trojan to work, a certain amount of naivete is required on the part of victims because the e-mails contain a ZIP-file attachment that must be opened to display the programs "doc_01.exe" or "prs_03.exe," which must be run manually to infect a computer.

"This Trojan horse is aiming to take advantage of people's reflex reaction when they receive an executable file via e-mail," Cluley said in a statement. "Users who want to install software on their computer should be receiving it from their IT department, not from friends at other companies or potentially dangerous spam mailings."

Variants of Bagle, which surfaced more than a year ago, continue to proliferate.

The detection of BagleDl-L comes just days after Send-Safe.com, which offered spamming tools, was kicked off Internet service provider MCI's network. Send-Safe is said to use PCs that have been compromised by Trojan horses to propagate spam.

Dan Ilett of ZDNet UK reported from London. CNET News.com's Dawn Kawamoto and Robert Lemos contributed to this report.