A new Bagle variant has surfaced using a novel technique to propogate. Rather than attach itself to an e-mail,...
the worm uses a URL in the message to download the malicious code.
Bagle-Q can also spread as an attachment but the new attack methods makes it a little worrisome. Specifically, it exploits the object tag vulnerability in popup windows in Microsoft Outlook.
Bagle-Q does some nasty things to systems after infecting them. It terminates a range of security applications including antivirus scanners and personal firewalls. It also makes several copies of itself with enticing names in folders containing "shar" so systems involved with peer-to-peer sharing would download the worm. For example, the worm copies itself as "Adobe Photoshop 9 full.exe," " Matrix 3 Revolution English Subtitles.exe" or "Windows Sourcecode update.doc.exe." The worm also tries to append itself to executable files on infected systems.
The variant also opens a backdoor on infected systems. It listens on TCP port 2556 for instructions from the attacker, who has full control over the compromised system, according to an advisory from F-Secure.
To spread, the worm searches systems for e-mail addresses in a wide range of files. It then sends out the messages containing the tainted link using its own SMTP engine. The worm spoofs the From address on the messages so it appears to come from the recipients' domain. It uses a variety of official sounding usernames such as "management," "administration," or "staff," according to Symantec.
Besides updating antivirus signature files, users should also consider blocking TCP port 81, both inbound and outbound, suggested Sophos. Preventing inbound traffic would mean systems wouldn't be able to spread the worm any further. Blocking outbound traffic prevents systems from downloading the Bagle-Q file in the first place. In either case, blocking such traffic won't likely affect any network services, Sophos said.