[Alsfastball] Bagle Worm Variant Slips Through Defenses
Al Doran
aldoran at pmihrm.com
Wed Aug 11 11:03:57 EDT 2004
1. update your antivirus software every day.
2. check your Windows updates daily.
3. use a firewall
We have received well over 60 of these so far, most contain well known
names from the world of Fastball so more than one person we know is
infected and being the careless dolts they are, their pc's are sending out
the worm. AD
Bagle Worm Variant Slips Through Defenses
By <mailto:dennis_fisher at ziffdavis.com>Dennis Fisher
August 9, 2004 <http://www.eweek.com/article2/#talkback>
[]
Another variant of the ubiquitous Bagle worm is now making its way across
the Internet, flooding in-boxes with infected Zip files. The newest member
of the <http://www.eweek.com/article2/0,1759,1624970,00.asp>Bagle family,
named Bagle.AQ, arrives via an e-mail message with a spoofed sending
address and no subject line. The only text in the message body is typically
one or two words, either "price" or "new price."
The name of the infected Zip file that accompanies the message is some
variation on that theme as well. The files often are named Price.zip or
New_price.zip, and may have a number appended to the end of the file name.
Bagle.AQ first appeared Monday and began circulating in earnest in the
early afternoon Eastern time. Some users reported getting as many as 100
infected messages in an hour. Virus researchers said they first began
seeing Bagle.AQ at about 8 a.m. Monday and have been seeing thousands of
copies an hour.
If a user opens the Zip file with an application such as Windows Internet
Explorer that is not a standalone Zip file handler, the user will see an
HTML file that contains exploit code. The file will then execute an
included .exe file, which is a Trojan, according to
<http://www.mcafee.com/us/>McAfee Inc.'s analysis. The Trojan then connects
to a number of remote sites to download the actual viral code.
This new variant is one of the few worms or viruses known to download its
viral payload remotely after it is already resident on a PC. It is not
until the code is actually pulled down by the Trojan that Bagle.AQ begins
trying to replicate itself by sending out e-mails.
Antivirus experts say the worm picked up a lot of momentum early Monday
thanks to an aggressive spamming and seeding scheme employed by its author.
They expect the worm to lose steam as time goes on and more and more of the
remote servers hosting the viral code are shut down.
Vinny Gullotto, vice president of the AVERT team at McAfee in Santa Clara,
Calif., said experts have closed down about half of the servers so far.
Gullotto added that the worm uses a piece of JavaScript code that appears
to be nearly three years old.
The worm also is capable of bypassing some file filters and outbound
firewall protections, said Sam Curry, vice president of the eTrust security
division at Computer Associates International Inc. in Islandia, N.Y.
Because it can inject itself into the Explorer process space, the worm's
outgoing traffic will appear legitimate to most firewalls.
<http://blog.ziffdavis.com/seltzer>For insights on security coverage around
the Web, check out eWEEK.com Security Center Editor Larry Seltzer's Weblog.
One sign of infection is that both TCP and UDP ports 2480 will be open on
compromised machines.
Curry said CA has rated Bagle.AQ as a medium risk at this point, but will
almost certainly up it to a high risk by the end of the day.
Editor's Note: This story was updated to include more information about the
worm.
[]
Check out eWEEK.com's Se-curity Center at
<http://security.eweek.com>http://security.eweek.com for security news,
views and analysis.
horizontal rule
More information about the Alsfastball
mailing list