Risk: Medium
Rather than being a mass-mailing worm, BagleDl-L is a Trojan horse that damages security applications and attempts to connect with a number of Web sites. It has been sent via spam lists to millions of addresses. McAfee has upgraded the risk threat posed by this latest variant of Bagle to "Medium" risk.
Since its release, security firms monitoring Bagle traffic levels, have noticed a fivefold increase in overall traffic patterns. The attempt to disable security protection could expose systems to a variety of threats. Any Trojan horse that turns off your antivirus or firewall can open you up to further attack, even by very old viruses.
Unlike a mass-mailing worm, the Trojan does not self-propagate, but the security companies have highlighted it because a high number of e-mails containing it have been detected.
Although the Trojan horse doesn't spread itself, the code is similar to other variants of the Bagle worm, which is why Sophos marked it a descendent of that program.
According to antivirus company F-Secure, the web sites that the new Bagle links to currently contain no malicious code. However, Trojan and worm writers have been known to add malicious code to a web site after the initial attack has calmed down.
For this Trojan to work, a certain amount of naivety is required on the part of victims because the e-mails contain a ZIP-file attachment that must be opened to display the programs "doc_01.exe" or "prs_03.exe," which must be run manually to infect a computer.
Variants of Bagle, which surfaced more than a year ago, continue to proliferate.