The Trojan BagleDl-L appears to have been deliberately spammed out to email addresses around the world, according to analysts at Sophos, Inc., an anti-virus and anti-spam company with U.S. headquarters in Lynnfield, Mass. Most of the email samples seen so far include a ZIP attachment which, if opened, tries to connect to one of a number of Websites in order to download more malicious code.
At deadline, none of these Websites appeared to contain anything malicious.
The malware also goes after security software on the infected computers.
BagleDl-L tries to stop various security applications, such as anti-virus and firewall software. It renames files belonging to security applications, so they can no longer load. It also blocks access to a range of security-related Websites by changing the Windows HOSTS file.
''Any Trojan horse which turns off your anti-virus or firewall can open you up to further attack, even by very old viruses,'' says Graham Cluley, senior technology consultant for Sophos. ''My advice is to keep your anti-virus automatically updated and always be suspicious of unsolicited email attachments.''
Ken Dunham, director of Malicious Code at iDefense, says they have discovered five unique codes being heavily spammed into the wild. The attack, he says, started Monday evening and is ongoing.
The malware does require user interaction, but Dunham notes that, despite user education, it still is a highly effective method of spreading malicious code.
''Wave attacks are becoming increasingly common,'' says Dunham. ''Multiple minor variants are rapidly seeded into the wild to help the overall success of the attack... Hackers have been testing their code prior to the attack to ensure that certain anti-virus products do not detect the new minor variants. Hackers have become increasingly sophisticated and organized in what they are doing in an attempt to steal sensitive information or gain control over many computers.''