Latest Bagle worm both nasty and sneaky

By Edward Hurley, News Writer 18 Mar 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A new Bagle variant has surfaced using a novel technique to propogate. Rather than attach itself to an e-mail, the worm uses a URL in the message to download the malicious code.

Bagle-Q can also spread as an attachment but the new attack methods makes it a little worrisome. Specifically, it exploits the object tag vulnerability in popup windows in Microsoft Outlook.

For more information Click here for the patch that prevents Bagle-Q infection. See this tip: "Keys to an effective virus incident-response team" Or this Ask the Expert: "What is the most cost-effective way to battle viruses?"

The worm sends out HTML e-mails containing a URL that automatically downloads an .html file, which then drops a Visual Basic script. That script actually downloads the Bagle-Q file via an HTTP request to TCP port 81 on the system that sent the worm. The worm is saved as "directs.exe" in the system folder.

Bagle-Q does some nasty things to systems after infecting them. It terminates a range of security applications including antivirus scanners and personal firewalls. It also makes several copies of itself with enticing names in folders containing "shar" so systems involved with peer-to-peer sharing would download the worm. For example, the worm copies itself as "Adobe Photoshop 9 full.exe," " Matrix 3 Revolution English Subtitles.exe" or "Windows Sourcecode update.doc.exe." The worm also tries to append itself to executable files on infected systems.

The variant also opens a backdoor on infected systems. It listens on TCP port 2556 for instructions from the attacker, who has full control over the compromised system, according to an advisory from F-Secure.

To spread, the worm searches systems for e-mail addresses in a wide range of files. It then sends out the messages containing the tainted link using its own SMTP engine. The worm spoofs the From address on the messages so it appears to come from the recipients' domain. It uses a variety of official sounding usernames such as "management," "administration," or "staff," according to Symantec.

Besides updating antivirus signature files, users should also consider blocking TCP port 81, both inbound and outbound, suggested Sophos. Preventing inbound traffic would mean systems wouldn't be able to spread the worm any further. Blocking outbound traffic prevents systems from downloading the Bagle-Q file in the first place. In either case, blocking such traffic won't likely affect any network services, Sophos said.

The Bagle family of worms has been quite prolific this year. The first one appeared in January, and since then multiple variants of appeared.

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary