Latest Bagle worm both nasty and sneaky

Edward Hurley, News Writer

A new Bagle variant has surfaced using a novel technique to propogate. Rather than attach itself to an e-mail, the worm uses a URL in the message to download the malicious code.

Bagle-Q can also spread as an attachment but the new attack methods makes it a little worrisome. Specifically, it exploits the

    Requires Free Membership to View

object tag vulnerability in popup windows in Microsoft Outlook.

For more information

Click here for the patch that prevents Bagle-Q infection.

See this tip: "Keys to an effective virus incident-response team"

Or this Ask the Expert: "What is the most cost-effective way to battle viruses?" 

The worm sends out HTML e-mails containing a URL that automatically downloads an .html file, which then drops a Visual Basic script. That script actually downloads the Bagle-Q file via an HTTP request to TCP port 81 on the system that sent the worm. The worm is saved as "directs.exe" in the system folder.

Bagle-Q does some nasty things to systems after infecting them. It terminates a range of security applications including antivirus scanners and personal firewalls. It also makes several copies of itself with enticing names in folders containing "shar" so systems involved with peer-to-peer sharing would download the worm. For example, the worm copies itself as "Adobe Photoshop 9 full.exe," " Matrix 3 Revolution English Subtitles.exe" or "Windows Sourcecode update.doc.exe." The worm also tries to append itself to executable files on infected systems.

The variant also opens a backdoor on infected systems. It listens on TCP port 2556 for instructions from the attacker, who has full control over the compromised system, according to an advisory from F-Secure.

To spread, the worm searches systems for e-mail addresses in a wide range of files. It then sends out the messages containing the tainted link using its own SMTP engine. The worm spoofs the From address on the messages so it appears to come from the recipients' domain. It uses a variety of official sounding usernames such as "management," "administration," or "staff," according to Symantec.

Besides updating antivirus signature files, users should also consider blocking TCP port 81, both inbound and outbound, suggested Sophos. Preventing inbound traffic would mean systems wouldn't be able to spread the worm any further. Blocking outbound traffic prevents systems from downloading the Bagle-Q file in the first place. In either case, blocking such traffic won't likely affect any network services, Sophos said.

The Bagle family of worms has been quite prolific this year. The first one appeared in January, and since then multiple variants of appeared.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: