Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Updates Protect Against New Bagle Worms' Encrypted Tactics

Several anti-virus firms debuted updates that sniff out worms embedded in password-protected Zip files, a technique used by a number of this week's Bagle worms to sneak through corporate gateways.

Four of the Bagle variants released this week -- including Bagle.h, Bagle.i, Bagle.j, and Bagle.k -- can deliver their payloads within encrypted Zip archives. Passwords to the files are included in the message text of the malicious e-mail, tempting users to use the password to open the file.

The encrypted files are almost impossible to stop with earlier anti-virus software at the gateway, since the programs can't open the archive to detect possible worms or viruses. (Most anti-virus software, however, detects viruses as soon as a Zip file is opened, but it's preferable to stop such threats at the enterprise edge.)

Now, however, updates by several anti-virus firms, including Sophos and Kaspersky Labs, as well as network security provider Network Box, can seek out and stop encrypted archive attachments.

All work using the same technique of first detecting encrypted Zip files, then scanning the accompanying e-mail text for a password, which is used to unpack the file. Finally, its contents are checked for known viruses and worms.

  • 1