• PC World
• »Security

A tricky new type of virus is surfacing, taking a twist on the usual trap set by e-mail messages: It appears in attachments that are not typically used for viruses, applies a password to avoid detection, and fools victims into entering the password and becoming infected.

Depending on the antivirus vendor, the name of this latest scourge is either Beagle or Bagle (but not Bagel). Symantec calls this series of viruses W32.Beagle.x@mm, where x designates the variation. The rest of the security vendors seem to prefer the Bagle name, although they disagree on variation letters.

All the major antivirus vendors are updating their definitions to identify the latest versions of the virus. But because this particular pest infects programs and passes through file-sharing networks, it's tough to shake from an infected system. Its cleverly deceptive approach may foretell sneakier viruses to come.

Avoiding Detection

The first Bagle virus was discovered in January, and since then new variants have popped up almost daily. One discovered on March 13, named W32/Bagle.n@MM by McAfee and W32/Beagle.m@MM by Symantec, includes a small bitmap image to escape detection by antivirus programs and trick you into entering the deadly password.

Aside from this password trick, Bagle viruses spread much like other e-mail worms. When one infects a PC, it resends itself to any e-mail addresses it can find on the hard drive. It also spoofs these addresses in its e-mail, forging the return addresses and hiding the identity of the infected computer. And as with every other e-mail worm, the virus comes in the form of an e-mail attachment.

Bagle's other difference: That attachment is often a password-protected .zip or .rar archive, which are not previously known to carry viruses. The idea, apparently, is that antivirus programs can't scan a password-protected archive and are therefore less likely to identify the virus. The text of the e-mail message tries to convince you to open the file, and provides the password.

A new wrinkle appears in the MM variant. This version--and some subsequent others--display the password not as text, but as a bitmapped image embedded in the message. Presumably this is to stop antivirus programs from finding the password in the message text and using it to scan the archive. As another form of protection, the virus generates passwords randomly.

Also to escape detection, the virus e-mails itself with a wide variety of subjects, messages, and archive file names. Some of the subjects include "Account notify," "Fax Message Received," and "Re: Yahoo!"

But Bagle viruses aren't just e-mail worms. They also place themselves, under false names, in folders that are likely to be shared across networks. This allows them to spread through file-sharing systems like Kazaa and iMesh.

Beware Other Damage

The Bagle viruses appear to have been designed with reproduction and survival in mind, not destruction. But a virus determined to spread and survive can still do a lot of harm.

Some of these variants intentionally stop over 270 programs from running on your system. The targets predictably include antivirus programs and firewalls that might catch the intruder, so their deactivation leaves a PC more vulnerable to other invaders.

Bagle also stops system configuration programs like msconfig and regedit that could be used to remove the virus. Other viruses also block certain programs, but none so far block anywhere near this many, antivirus experts say.

When a Bagle virus gets onto a PC, it infects every .exe file it can find. That way you can think you've removed the virus, then reinfect your system by simply loading a program. And these infections are polymorphous--they change as the virus reproduces itself, making it harder for antivirus programs to clean your system.

Finally, these viruses appear to open a back door that could allow someone to access your PC without your knowledge, even if you have a firewall. The virus writers may be planning to recruit your PC's resources for a future denial of service attack against another server; security researchers have not determined Bagle's plans.

Protection Strategy

The best cure for Bagle viruses, of course, is to not to get infected.

The usual security advice applies: Don't open e-mail attachments unless you have a very good reason to believe that they're real. Keep your antivirus definitions and applications up to date.

Despite the password-protection and other tricks, virtually all antivirus programs can now recognize and catch Bagle viruses. If you do catch a Bagle, go to the McAfee or Symantec sites for free, downloadable fixes to remove the virus and repair your system.