By: Jeff Johnston
A new version of the Bagle virus family uses a different infection method then older versions. Bagle-R and Bagle-Q have both been reported to spread via email without an attachment. Sophos reports that this is an attempt to bypass virus protection at the email gateway.
Bagle exploits a security hole in MS Outlook Express that Microsoft released a patch for five month ago. Unfortunately many people do not keep their computer up to date with the latest patches, which is why viruses like this are so successful. This particular strain attempts to download the virus via HTTP when the email is opened. The method that is used is the HTML within the email is coded to download and run a VisualBasic Script on the virus server, then the VBS connects to the same server and downloads the executable virus and runs it.
Like previous strains of Bagle these new strains attempt to disable firewalls and antivirus software once they are run. They also send to any address they find on the infected computer and disguise the sending information. According to Sophos the virus is reported to have used the following subject lines:
Re: Msg reply
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Incoming Message
Re: Incoming Fax
Fax Message Received
RE: Protected message
The virus is not particularly damaging to the infected system, but it does put a huge load on email servers by continually propagating itself. The primary goal of this virus is to spread and survive. However since the virus does disable antivirus software and firwalls your system is at risk of other attacks and infections if you become infected.
Opening an email should not give the authority to download and execute a VBS, this is a major security threat, and Microsoft has acknowledged it as such. The patch from Microsoft is available at www.microsoft.com/technet/security/bulletin/MS03-040.mspx . It is recommended that you ensure that your system is fully patched and check on a regular basis for new security releases. Home Windows users can go to windowsupdate.microsoft.com and have their system scanned for any unapplied patches.