Updates Protect Against New Bagle Worms' Encrypted Tactics

Several anti-virus firms debuted updates that sniff out worms embedded in password-protected Zip files, a technique used by a number of this week's Bagle worms to sneak through corporate gateways.

Four of the Bagle variants released this week -- including Bagle.h, Bagle.i, Bagle.j, and Bagle.k -- can deliver their payloads within encrypted Zip archives. Passwords to the files are included in the message text of the malicious e-mail, tempting users to use the password to open the file.

The encrypted files are almost impossible to stop with earlier anti-virus software at the gateway, since the programs can't open the archive to detect possible worms or viruses. (Most anti-virus software, however, detects viruses as soon as a Zip file is opened, but it's preferable to stop such threats at the enterprise edge.)

Now, however, updates by several anti-virus firms, including Sophos and Kaspersky Labs, as well as network security provider Network Box, can seek out and stop encrypted archive attachments.

All work using the same technique of first detecting encrypted Zip files, then scanning the accompanying e-mail text for a password, which is used to unpack the file. Finally, its contents are checked for known viruses and worms."This technology protects users from new generation worms, specifically worms that hide in password protected ZIP files," said Eugene Kaspersky, head of anti-virus research at Moscow-based Kaspersky Labs, in a statement. "Five worms using this technique appeared within only four days, a new trend has been set in the computer underground."