March 12, 2010

Hot topics :

All Alerts»

Four New Variants of Bagle Email Worm Discovered

Several security vendors issued alerts for four new variants of the Bagle email worm Thursday: Bagle.Q, Bagle.R, Bagle.S and Bagle.T.

The Q variant is different from the previous Bagle variants because it attempts to move the infected file to new hosts by downloading it from a web server it installs to infected hosts, according to F-Secure.

The email contains an exploit that downloads and executes a script with ".php" extension from the web. Further information about this vulnerability, known as Internet Explorer Object Data Remote Execution, is available from Microsoft:

http://www.microsoft.com/technet/security/bulletin/MS03-032.mspx

Threat Alerts

Latest Malware

Most Dangerous Malware

Email Article
Print Article
Comment on this article
Share Articles
- Digg
- del.icio.us
- Newsvine
- Facebook
- Google
- LinkedIn
- MySpace
- Reddit
- Slashdot
- StumbleUpon
- Technorati
- Twitter
- Windows Live
- YahooBuzz
- FriendFeed

The script is downloaded using a predefined list of servers. This script, which is actually written in Visual Basic Script, drops another script, "q.vbs", on the system. This script then downloads the worm itself in a file that has ".jpeg" extension as "sm.exe" and executes it.

Bagle.Q also parasitically infects EXE files.

When Bagle.Q copies itself to the system (as DIRECTS.EXE), it uses an icon which looks fairly innocent. View the icon and more information about Bagle.Q here.

Further information about the R variant is available here.

Further information about the S variant is available here.

Further information about the T variant is available here.

W32/Bagle.q@MM is a new W32/Bagle variant that bears the following characteristics:

contains its own SMTP engine to construct outgoing messages harvests email addresses from the victim machine

the From: address of messages is spoofed

contains a remote access component (notification is sent to hacker)

copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

encrypted polymorphic parasitic file infector

This virus is detected as a Trojan or variant New Malware.b when scanning with the 4339 DATs or greater, with program heuristics and the scanning of compressed files enabled. Parasitically infected files are detected as virus or variant W32/Bagle with the 4338 DATs (or greater).

The message bodies are constructed very similarly to those for its predecessor, using several parts, to effectively customize the email, to make it appear to be a legitimate warning notification.

NOTE: In its analysis, the virus has the ability to propagate via email containing hidden HTML code. These emails do not contain a binary attachment, but utilize Microsoft vulnerabilities to download the virus from the remote sites.

The details are as follows:

From : (the address may be spoofed, using the recipient's domain name and a user name taken from the following list, or another address found on the local system)

management@

administration@

staff@

noreply@

support@

antivirus@

antispam@

More information is at this Network Associates page.

W32/Bagle-Q is a mass-mailing virus. This virus spreads in an unusual manner, so the informaiton below should be read carefully.

W32/Bagle-Q spreads via a "carrier" email which does not contain the worm as an attachment.

When you open a "carrier" email, the email attempts to exploit a vulnerability in Outlook which automatically downloads W32/Bagle-Q from the PC which sent you the "carrier" email. The security vulnerability was reportedly patched by Microsoft in Microsoft Security Bulletin MS03-040.

The "carrier" email downloads and launches a Visual Basic script. This script downloads W32/Bagle-Q via an HTTP (web) request to TCP port 81 on the sender's PC.

The downloaded copy of W32/Bagle-Q is placed into your system folder with the name directs.exe

W32/Bagle-Q loads on your PC and terminates a wide range of security applications

A registry entry is added to the key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run so that the program directs.exe loads every time you logon to your computer.

W32/Bagle-Q makes multiple copies of itself into folders which are likely to be part of a file-sharing network.

W32/Bagle-Q infects programs on your PC by appending itself to existing EXE files (this is called "parasitic virus infection").

Blocking outbound port 81 connections stops computers on your network from downloading the worm from outside. Blocking port 81 inbound means that even if you do get infected you will not pass the virus on to others.

You should also apply the latest Internet Explorer/Outlook Express patches from Microsoft. The vulnerability used by W32/Bagle-Q is described in the Microsoft Security Bulletin MS03-040 and is referred to as the "Object Tag vulnerability in Popup Window". More information is at this Sophos page.

TrendLabs HQ declared a Yellow alert to control the spread of the malware, which it recognizes as PE_Bagle.Q. Like recent Bagle variants, this malware also infects files but it employs a known vulnerability to propagate.

This new Bagle variant propagates via email in two ways. The first is by sending email messages that do not have file attachments but a URL. Opening this email starts a series of events that eventually downloads this file infector into the system.

It is able to do this through the use of a known vulnerability in Microsoft Outlook, which is known as the Object Tag vulnerability in Popup Window (MS03-040). This exploit allows a malicious user to run arbitrary code on a user's system by creating an HTML-based email that exploits this vulnerability.

For more information about this vulnerability, please refer to the following link:

http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx

It also spreads by sending email messages with itself as attachment. The email it sends out has varying subjects, message bodies, and attachment file names.

It attempts to spread via peer-to-peer file-sharing networks by dropping files in folders that have the text string "shar" in their names (for example, C:\Program Files\Kazaa\My Shared Folder).

This virus also has backdoor capabilities. It opens port 2556 and other randomly-generated ports to wait for commands from a malicious user. It also has the ability to terminate certain processes, most of which are related to antivirus and firewall applications.

It runs on Windows 98, ME, NT, 2000 and XP. Technical details are at this Trend Micro page.

Panda Software issued alerts for Bagle.Q and Bagle.T, viruses that have worm characteristics. Both infect PE files, increasing their size by 26 KBytes. Bagle.Q and Bagle. T spread via e-mail in a message with variable characteristics and through peer-to-peer (P2P) file sharing programs.

They attempt to connect to several IP addresses, in order to download and run a file on the affected computer.

In addition, both variants end the processes belonging to several antivirus programs, firewalls and system monitoring tools. They also ends the processes belonging to previous variants of the worms Bagle and Netsky.

Technical details are at this Panda Software page.

W32.Beagle.R@mm is a variant of W32.Beagle.O@mm. This worm attempts to send an HTML email to addresses found in files on the infected computer. The email does not contain an attachment of the worm. Instead, the HTML email uses the Microsoft Internet Explorer Object Tag Vulnerability that allows the automatic download and execution of a file hosted on a remote website. This file is a copy of the worm, but may change in the future.

In addition, the worm opens a backdoor and attempts to spread through file-sharing networks by copying itself to folders with "shar" in their names. The worm is also a file infector that appends itself to .exe files found in the c:\emails folder on the computer.

Technical details are at this Symantec page.

--Compiled by Esther Shein

IT Offers