Hacker Spams Huge Quantities Of Trojans, Again

For the second day in a row, an unknown attacker Tuesday spammed major quantities of a new Bagle-esque Trojan horse that turns off virtually every known security program and blocks access to security sites on the Internet.

Several variants of the BagleDI-U Trojan -- dubbed Bagle.cd by McAfee, and Bagle.da by Trend Micro -- have been spammed since Monday at approximately 11 a.m. EDT. A second wave hit the Internet around the same time Tuesday, said U.K.-based security firm Sophos.

"This is the second massive e-mail attack from this hacker in two days, the creator is obviously intent on infecting as many people as possible," said Carole Theriault, a senior security consultant at Sophos, in a statement.

The variants are easy to spot, since all come with a blank subject head with a message of "new price" and an attached file in .zip format that takes monikers such as "09_price.zip," "price_new.zip," and "price2.zip."

BagleDI-U (or whatever others call it), attempts to turn off a long list of security-related processes; deletes Windows Registry keys for software from Symantec, MacAfee, Kaspersky, Panda, Zone Labs, and Agnitum; blocks the browser from accessing Web sites; and downloads additional code from a wide range of malicious Web sites.

The Trojan (or worm; some vendors claim it's the latter) also boasts an anti-Netsky feature that prevents worms in that family from executing on an infected PC.

Most security vendors have pegged BagleDI-U as a low- to medium-level threat.