New Bagle worms crawl through old Microsoft hole
Four new variants of the Bagle worm appeared yesterday
IDG News Service - Four new versions of the Bagle e-mail worm appeared yesterday, and antivirus experts warned that new techniques by the worm's creator could make it harder to stop the new variants.
Antivirus companies issued software updates and alerts about Bagle.Q, R, S and T. The new versions of the worm, which first appeared in January, don't carry file attachments containing the virus. Instead, they use a months-old Windows security hole to break into vulnerable machines.
"It's really nasty. Just previewing a message in an e-mail client could download the virus to your computer," said Graham Cluley, senior technology consultant at Sophos PLC in Abingdon, U.K.
The security hole used by the worm is known as the Internet Explorer Object Data Remote Execution vulnerability and concerns a problem with the way Microsoft Corp.'s Internet Explorer Web browser interprets HTTP data. The vulnerability, MS03-032, was patched by the company last August.
Previous versions of Bagle have shipped copies of the virus as e-mail files with .zip, .exe and .scr attachments, among others.
Antivirus and antispam products can block the spread of such viruses by scanning incoming e-mail attachments, identifying the virus file by the name, size and other telltale characteristics. By forgoing file attachments, the Bagle author has made it easier to slip by security products, Cluley said.
Like its predecessors, the new Bagle worms arrive in e-mail messages with faked sender addresses and vague subject lines such as "Re: Hello," "Incoming message," "Site changes" and "Re: Hi."
When opened or previewed on unpatched Windows systems, the Bagle e-mail message first downloads a computer script with a .php extension from one of a number of predefined Web servers used by the virus author. After it's downloaded, that script runs and downloads, then runs the actual worm file, said antivirus company F-Secure Corp. in Helsinki, Finland.
F-Secure researchers have passed the IP addresses of machines that are hosting the virus file to authorities, who are shutting them down, according to Mikko Hypponen, director of antivirus research at F-Secure.
The new Bagle variants prove that the author is continuing to experiment with new techniques to trick security products, said Cluley.
"There's a continuing evolution with Bagle. In the beginning, there were regular attachments, then they switched to .zip files, then encrypted .zip files with passwords, then passwords stored in graphics files, and now this," he said.
The four new variants are closely related and may indicate some tinkering with the worm's code to fix problems, Cluley said. "There may be some bugs in the code that limited its success," he said.
Antivirus companies said that the Bagle.Qvariant, the first in the latest batch, is the most widespread. F-Secure rated the Bagle.Q a Level 2 threat, indicating "large infections" within a specific region. It has recorded infections in more than 20 countries from Bagle.Q, said Hypponen.
Sophos has evidence of particularly heavy infections in South Korea, Cluley said.
Antivirus companies posted software updates to detect the new Bagle variants. Computer users were also advised to apply the Microsoft patch, if they hadn't already done so, to protect against infection by the new Bagle variants.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts