New Bagle worms crawl through old MS hole

Four new versions of the Bagle e-mail worm appeared on Thursday, and antivirus experts warn that new techniques by the worm’s creator could make it harder to stop the new worm variants.

Antivirus companies issued software updates and alerts about Bagle.Q, R, S and T. The new versions of the worm, which first appeared in January, do not carry file attachments containing the virus. Instead, they use a months-old Microsoft Corp. Windows security hole to break into vulnerable machines, experts said.

“It’s really nasty. Just previewing a message in an e-mail client could download the virus to your computer,” said Graham Cluley, senior technology consultant at Sophos PLC, in Abingdon, U.K.

The security hole used by the worm is known as the Internet Explorer Object Data Remote Execution vulnerability and concerns a problem with the way the Internet Explorer Web browser interprets HTTP data. The vulnerability, MS03-032, was patched by the Redmond, Wash., company in August 2003.

Previous versions of Bagle have shipped off copies of the virus as e-mail file attachments with ZIP, EXE and SCR attachments, among others.

Antivirus and antispam products can block the spread of such viruses by scanning incoming e-mail attachments, identifying the virus file by the name, size and other telltale characteristics. By foregoing file attachments, the Bagle author has made it easier to slip by security products, Cluley said.

Like its predecessors, the new Bagle worms arrive in e-mail messages with faked sender addresses and vague subjects such as “Re: Hello,” “Incoming message,” “Site changes,” and “Re: Hi.”

When opened or previewed on unpatched Windows systems, the Bagle e-mail message first downloads a computer script with a PHP extension from one of a number of predefined Web servers used by the virus author. After it is downloaded, that script runs and downloads, then runs the actual worm file, said antivirus company F-Secure Corp., of Helsinki, Finland.

F-Secure researchers have passed the IP addresses of machines that are hosting the virus file to authorities who are shutting them down, said according to Mikko Hypp

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now