New Bagle worms crawl through old MS hole

Four new versions of the Bagle email worm have appeared, and antivirus experts warn that new techniques by the worm's creator could make it harder to stop the new worm variants.

Antivirus companies have issued software updates and alerts about Bagle.Q, R, S and T.

The new versions of the worm, which first appeared in January, do not carry file attachments containing the virus. Instead, they used a months-old Microsoft Windows security hole to break into vulnerable machines, experts said.

"It's really nasty. Just previewing a message in an email client could download the virus to your computer," senior technology consultant at Sophos, Graham Cluley, said.

The security hole used by the worm is known as the Internet Explorer Object Data Remote Execution vulnerability and concerns a problem with the way the Internet Explorer Web browser interprets HTTP (Hypertext Transfer Protocol) data. The vulnerability, MS03-032, was patched by Microsoft in August, 2003. (See: http://www.microsoft.com/technet/security/bulletin/MS03-032.mspx.)

Previous versions of Bagle have shipped off copies of the virus as email file attachments with ZIP, EXE and SCR attachments, among others. Antivirus and antispam products can block the spread of such viruses by scanning incoming email attachments, identifying the virus file by the name, size and other telltale characteristics.

By foregoing file attachments, the Bagle author had made it easier to slip by security products, Cluley said.

Like its predecessors, the new Bagle worms arrive in e-mail messages with faked sender addresses and vague subjects such as "Re: Hello", "Incoming message,", "Site changes", and "Re: Hi."

When opened or previewed on unpatched Windows systems, the Bagle email message first downloads a computer script with a PHP extension from one of a number of predefined Web servers used by the virus author. After it is downloaded, that script runs and downloads, then runs the actual worm file, antivirus company, F-Secure, said.

F-Secure researchers had passed the Internet Protocol (IP) addresses of machines that were hosting the virus file to authorities who were shutting them down, director of antivirus research at F-Secure, Mikko Hyppönen, said.

The new Bagle variants proved that the author was continuing to experiment with new techniques to trick security products, Cluley said.

"There's a continuing evolution with Bagle," he said. "In the beginning there were regular attachments, then they switched to ZIP files, then encrypted ZIP files with passwords, then passwords stored in graphics files, and now this."

The four new variants were closely related and could indicate some tinkering with the worm's code to fix problems, Cluley said.

"There may be some bugs in the code that limited its success," he said.

Antivirus companies said that the Bagle.Q variant, the first in the latest batch, is the most widespread. F-Secure-rated the Bagle.Q a Level 2 threat, indicating large infections within a specific region.

F-Secure has recorded infections in more than 20 countries from Bagle.Q, Hyppönen said.

Sophos had evidence of particularly heavy infections in South Korea, Cluley said.

Antivirus companies posted software updates to detect the new Bagle variants.

Computer users were also advised to apply the Microsoft patch, if they had not already done so, to protect against infection by the new Bagle variants.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?