New recipe for Bagle causes IT health risks

18 Mar 2004

Virus spotters beware: two new variants of the Bagle virus are taking a different approach to delivering their payload by not carrying attachments, in order to bypass security systems.

Instead of spreading via .ZIP files or other attachment types, the W32/Bagle-Q and W32/Bagle-R variants exploit a vulnerability in Microsoft Outlook. If a user with an unprotected version of the email software opens an infected message and clicks on the web address contained in it, malicious code is automatically downloaded.

The malware prevents a wide range of security applications such as anti-virus or firewall programs from running. According to the anti-virus firm Sophos, this potentially opens up a PC to further attack. The latest Bagles also attempt to spread via file-sharing networks and infect other executable files.

The Outlook vulnerability was originally discovered five months ago. It is known as the Object Tag vulnerability in Popup Window (MS03-040) and it allows a malicious user to run arbitrary code on a user’s system by creating an HTML-based email that exploits this vulnerability. It runs on Windows 98, NT, ME, 2000 and XP.

Security software provider Trend Micro has identified backdoor capabilities in the virus. It opens port 2556 and other randomly generated ports to wait for commands from a malicious user. The company has so far only classed Bagle-Q as medium risk although it said the potential for damage and for further distribution is high.

“All computer users should be wary of this worm – we’ve already had reports from some parts of the world – particularly Korea, which is known for its uptake and use of technology,” said Graham Cluley, senior technology consultant at Sophos. “Exploiting a security loophole in the popular Microsoft Outlook email system means these worms have the potential to hit hard. Both home and business computer users need to make sure they are patched against all vulnerabilities.”

Users have been advised to obtain and apply the latest Internet Explorer and Outlook Express patches from Microsoft, which will prevent the automatic download of the virus. Network administrators should disallow inbound and outbound connections to TCP port 81 through their firewall. Doing so will stop PCs on a network from downloading the worm from outside and will ensure that, even if infection occurs, the virus will not be passed on to others.

The patch against the Microsoft Outlook security vulnerability can be downloaded from Home users of Microsoft Windows can visit to have their systems scanned for Microsoft security vulnerabilities.

By Gordon Smith