[Alsfastball] Bagle Worm Variant Slips Through Defenses

[Al Doran]

1. update your antivirus software every day.
2. check your Windows updates daily.
3. use a firewall

We have received well over 60 of these so far, most contain well known 
names from the world of Fastball so more than one person we know is 
infected and being the careless dolts they are, their pc's are sending out 
the worm.  AD




Bagle Worm Variant Slips Through Defenses
By <mailto:dennis_fisher at ziffdavis.com>Dennis Fisher
August 9, 2004 <http://www.eweek.com/article2/#talkback>
[]



Another variant of the ubiquitous Bagle worm is now making its way across 
the Internet, flooding in-boxes with infected Zip files. The newest member 
of the <http://www.eweek.com/article2/0,1759,1624970,00.asp>Bagle family, 
named Bagle.AQ, arrives via an e-mail message with a spoofed sending 
address and no subject line. The only text in the message body is typically 
one or two words, either "price" or "new price."


The name of the infected Zip file that accompanies the message is some 
variation on that theme as well. The files often are named Price.zip or 
New_price.zip, and may have a number appended to the end of the file name.


Bagle.AQ first appeared Monday and began circulating in earnest in the 
early afternoon Eastern time. Some users reported getting as many as 100 
infected messages in an hour. Virus researchers said they first began 
seeing Bagle.AQ at about 8 a.m. Monday and have been seeing thousands of 
copies an hour.


If a user opens the Zip file with an application such as Windows Internet 
Explorer that is not a standalone Zip file handler, the user will see an 
HTML file that contains exploit code. The file will then execute an 
included .exe file, which is a Trojan, according to 
<http://www.mcafee.com/us/>McAfee Inc.'s analysis. The Trojan then connects 
to a number of remote sites to download the actual viral code.



This new variant is one of the few worms or viruses known to download its 
viral payload remotely after it is already resident on a PC. It is not 
until the code is actually pulled down by the Trojan that Bagle.AQ begins 
trying to replicate itself by sending out e-mails.

Antivirus experts say the worm picked up a lot of momentum early Monday 
thanks to an aggressive spamming and seeding scheme employed by its author. 
They expect the worm to lose steam as time goes on and more and more of the 
remote servers hosting the viral code are shut down.

Vinny Gullotto, vice president of the AVERT team at McAfee in Santa Clara, 
Calif., said experts have closed down about half of the servers so far. 
Gullotto added that the worm uses a piece of JavaScript code that appears 
to be nearly three years old.

The worm also is capable of bypassing some file filters and outbound 
firewall protections, said Sam Curry, vice president of the eTrust security 
division at Computer Associates International Inc. in Islandia, N.Y. 
Because it can inject itself into the Explorer process space, the worm's 
outgoing traffic will appear legitimate to most firewalls.

<http://blog.ziffdavis.com/seltzer>For insights on security coverage around 
the Web, check out eWEEK.com Security Center Editor Larry Seltzer's Weblog.

One sign of infection is that both TCP and UDP ports 2480 will be open on 
compromised machines.

Curry said CA has rated Bagle.AQ as a medium risk at this point, but will 
almost certainly up it to a high risk by the end of the day.

Editor's Note: This story was updated to include more information about the 
worm.

[]


Check out eWEEK.com's Se-curity Center at 
<http://security.eweek.com>http://security.eweek.com for security news, 
views and analysis.

horizontal rule