We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

New virus says magic word

Bagle/Beagle uses passwords and infects networks

A tricky new type of virus is surfacing, using an unfamiliar tactics to gain entry to systems and proliferating across networks. It appears in attachments that are not typically used for viruses, applies a password to avoid detection, and fools victims into entering the password and becoming infected.

Depending on the antivirus vendor, the name of this latest scourge is either Beagle or Bagle (but not Bagel). Symantec calls this series of viruses W32.Beagle.x@mm, where x designates the variation. The rest of the security vendors seem to prefer the Bagle name, although they disagree on variation letters.

All the major antivirus vendors are updating their definitions to identify the latest versions of the virus. But because this particular pest infects programs and passes through file-sharing networks, it's tough to shake from an infected system. Its cleverly deceptive approach may foretell sneakier viruses to come.

The first Bagle virus was discovered in January, and since then new variants have popped up almost daily. One discovered on March 13, named W32/Bagle.n@MM by McAfee and W32/Beagle.m@MM by Symantec, includes a small bitmap image to escape detection by antivirus programs and trick you into entering the deadly password.

Aside from this password trick, Bagle viruses spread much like other e-mail worms. When one infects a PC, it resends itself to any e-mail addresses it can find on the hard drive. It also spoofs these addresses in its e-mail, forging the return addresses and hiding the identity of the infected computer. And as with every other e-mail worm, the virus comes in the form of an e-mail attachment.

Bagle's other difference is that the attachment is often a password-protected .zip or .rar archive, neither of which have been previously known to carry viruses. The idea, apparently, is that antivirus programs can't scan a password-protected archive and are therefore less likely to identify the virus. The text of the e-mail message tries to convince you to open the file, and provides the password.

A further new wrinkle appears in the MM variant. This version, along with some others, displays the password not as text, but as a bitmapped image embedded in the message. Presumably this is to stop antivirus programs from finding the password in the message text and using it to scan the archive. As another form of protection, the virus generates passwords randomly.

Also to escape detection, the virus e-mails itself with a wide variety of subjects, messages, and archive file names. Some of the subjects include "Account notify," "Fax Message Received," and "Re: Yahoo!"

But Bagle viruses aren't just e-mail worms. They also place themselves, under false names, in folders that are likely to be shared across networks. This allows them to spread through file-sharing systems like Kazaa and iMesh.

The Bagle viruses appear to have been designed with reproduction and survival in mind, not destruction. But a virus determined to spread and survive can still do a lot of harm.

Some of the variants intentionally stop over 270 programs from running on your system. The targets predictably include antivirus programs and firewalls that might catch the intruder, so their deactivation leaves a PC more vulnerable to other invaders.

Bagle also stops system configuration programs like msconfig and regedit that could be used to remove the virus. Other viruses also block certain programs, but none so far block anywhere near this many, antivirus experts say.

When a Bagle virus gets onto a PC, it infects every .exe file it can find. That way you can think you've removed the virus, then reinfect your system by simply loading a program. And these infections are polymorphous: they change as the virus reproduces itself, making it harder for antivirus programs to clean your system.

Finally, these viruses appear to open a back door that could allow someone to access your PC without your knowledge, even if you have a firewall. The virus writers may be planning to recruit your PC's resources for a future denial of service attack against another server; security researchers have not determined Bagle's plans.

The best cure for Bagle viruses, of course, is to not to get infected.

The usual security advice applies: Don't open e-mail attachments unless you have a very good reason to believe that they're real. Keep your antivirus definitions and applications up to date.

Despite the password-protection and other tricks, virtually all antivirus programs can now recognise and catch Bagle viruses. If you do catch a Bagle, go to the McAfee or Symantec sites for free, downloadable fixes to remove the virus and repair your system.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Stop running out of cellular data on your iPhone, see which apps use the most data