NEWS

HAURI News

[EITPlanet.com] Bagle Proves Relentless - EITPlanet.com
04/05/04
Malicious coders have been busy tweaking the Bagle worm, making the persistent bug even more infectious.

The new P, Q and R Bagle variants, first discovered late last week, promise to make life miserable for admins and end-users whose anti-virus software is not updated. San Jose, CA-based computer security firm Global Hauri reports that these worms exploit vulnerabilities in Internet Explorer (MS03-032) and Windows Media Player to deploy their payloads (MS03-048). The IE security hole was recently shuttered by a patch from Microsoft.

Collectively, the worms are spreading twice as fast as last year's MyDoom virus, according to the company. Panda Software reports that among the trio, Bagle.Q is leading the pack in terms of its ability to spread.

More disturbingly, the sensible precaution of not launching attachments does not deter these new Bagles. Merely selecting and previewing the email is enough to infect a machine.

Given this new twist, Global Hauri provides the following list of subject lines that highlights some of telltale signs of an infested email, which includes some unorthodox use of the English language:


- Password: %s
- Pass - %s
- Password - %s
- E-mail account security warning.
- Notify about using the e-mail account.
- Warning about your e-mail account.
- Important notify about your e-mail account.
- Email account utilization warning.
- E-mail technical support message.
- E-mail technical support warning.
- Email report
- Important notify
- Account notify
- E-mail warning
- Notify from e-mail technical support.
- Notify about your e-mail account utilization.
- E-mail account disabling warning.
- Re: Msg reply
- Re: Hello
- Re: Yahoo!
- Re: Thank you!
- Re: Thanks :)
- RE: Text message
- Re: Document
- Incoming message
- Re: Incoming Message
- Re: Incoming Fax - Hidden message
- Fax Message Received
- Protected message
- RE: Protected message
- Forum notify
- Request response
- Site changes
- Re: Hi
- Encrypted document

The worms direct infected machines to open TCP port 81, which allows the receipt of an HTA file and a directs.exe file via HTTP. Before all is said and done, they establish a backdoor on TCP 2556.

Click: http://www.enterpriseitplanet.com/security/news/article.php/3329181
List