Latest Bagle worm both nasty and sneaky

Article

Latest Bagle worm both nasty and sneaky

A new Bagle variant has surfaced using a novel technique to propogate. Rather than attach itself to an e-mail, the worm uses a URL in the message to download the malicious code.

Bagle-Q can also spread as an attachment but the new attack methods makes it a little worrisome. Specifically, it exploits the

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

object tag vulnerability in popup windows in Microsoft Outlook.

For more information

Click here for the patch that prevents Bagle-Q infection.

See this tip: "Keys to an effective virus incident-response team"

Or this Ask the Expert: "What is the most cost-effective way to battle viruses?" 
The worm sends out HTML e-mails containing a URL that automatically downloads an .html file, which then drops a Visual Basic script. That script actually downloads the Bagle-Q file via an HTTP request to TCP port 81 on the system that sent the worm. The worm is saved as "directs.exe" in the system folder.

Bagle-Q does some nasty things to systems after infecting them. It terminates a range of security applications including antivirus scanners and personal firewalls. It also makes several copies of itself with enticing names in folders containing "shar" so systems involved with peer-to-peer sharing would download the worm. For example, the worm copies itself as "Adobe Photoshop 9 full.exe," " Matrix 3 Revolution English Subtitles.exe" or "Windows Sourcecode update.doc.exe." The worm also tries to append itself to executable files on infected systems.

The variant also opens a backdoor on infected systems. It listens on TCP port 2556 for instructions from the attacker, who has full control over the compromised system, according to an advisory from F-Secure.

To spread, the worm searches systems for e-mail addresses in a wide range of files. It then sends out the messages containing the tainted link using its own SMTP engine. The worm spoofs the From address on the messages so it appears to come from the recipients' domain. It uses a variety of official sounding usernames such as "management," "administration," or "staff," according to Symantec.

Besides updating antivirus signature files, users should also consider blocking TCP port 81, both inbound and outbound, suggested Sophos. Preventing inbound traffic would mean systems wouldn't be able to spread the worm any further. Blocking outbound traffic prevents systems from downloading the Bagle-Q file in the first place. In either case, blocking such traffic won't likely affect any network services, Sophos said.

The Bagle family of worms has been quite prolific this year. The first one appeared in January, and since then multiple variants of appeared.