Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theater
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage
Four new versions of the Bagle e-mail worm have appeared, and antivirus experts warn that new techniques by the worm's creator could make stopping the new worm variants harder.
Antivirus companies have issued software updates and alerts about Bagle.Q, R, S, and T. The new versions of the worm, which first appeared in January, do not carry file attachments containing the virus. Instead, they use a months-old Microsoft Windows security hole to break into vulnerable machines, experts say.
"It's really nasty. Just previewing a message in an e-mail client could download the virus to your computer," says Graham Cluley, senior technology consultant at Sophos PLC in Abingdon, UK.
New Tactic
The security hole used by the worm is known as the Internet Explorer Object Data Remote Execution vulnerability, and concerns a problem with the way the Internet Explorer Web browser interprets Hypertext Transfer Protocol data. The vulnerability, MS03-032, was patched by the Redmond, Washington-based Microsoft in August 2003.
Previous versions of Bagle have shipped off copies of the virus as e-mail file attachments with .zip, .exe, and .scr extensions, among others.
Antivirus and antispam products can block the spread of such viruses by scanning incoming e-mail attachments, identifying the virus file by the name, size, and other telltale characteristics. By forgoing file attachments, the Bagle author has made it easier for the worm to slip by security products, Cluley says.
Like their predecessors, the new Bagle worms arrive in e-mail messages with faked sender addresses and vague subjects such as 'Re: Hello', 'Incoming message', 'Site changes', and 'Re: Hi'.
When opened or previewed on unpatched Windows systems, the Bagle e-mail message first downloads a computer script with a PHP extension from one of a number of predefined Web servers used by the virus author. After it is downloaded, that script runs and downloads, and then runs the actual worm file, says antivirus company F-Secure of Helsinki, Finland.
Fine-Tuned Threat
F-Secure researchers have passed the IP addresses of machines that are hosting the virus file to authorities who are shutting them down, according to Mikko Hyppönen, director of antivirus research at F-Secure.
The new Bagle variants prove that the author is continuing to experiment with new techniques to trick security products, says Cluley.
"There's a continuing evolution with Bagle. In the beginning there were regular attachments, then they switched to .zip files, then encrypted .zip files with passwords, then passwords stored in graphics files, and now this," he says.
The four new variants are closely related and may indicate some tinkering with the worm's code to fix problems, Cluley says. "There may be some bugs in the code that limited its success," he says.
Spreading Infection
Antivirus companies say that the Bagle.Q variant, the first in the latest batch, is the most widespread. F-Secure has rated Bagle.Q a Level 2 threat, indicating "large infections" within a specific region.
F-Secure has recorded infections in more than 20 countries from Bagle.Q, says Hyppönen.
Sophos has evidence of particularly heavy infections in South Korea, Cluley says.
Antivirus companies have posted software updates to detect the new Bagle variants. Computer users are also advised to apply the Microsoft patch, if they have not already done so, to protect against infection by the new Bagle variants.
