By Munir Kotadia, 18 March 2004 18:00
NEWS The return of the Bagle worm is exploiting an old Outlook flaw to spread even more quickly.
Users no longer have to click on an attachment to spread the Bagle virus because the latest variants are exploiting an old flaw in Microsoft Outlook that allows the worm to spread even more quickly.
Until the appearance of Bagle variants Q, R and S, users had to click on an emailed attachment to be infected by the worm. However, these attachments were easily spotted by antivirus programs and eliminated. To fool antivirus software, the next batch of Bagles was sent with the infected attachment hidden inside an encrypted Zip file, with the password to open the file contained in the email's text. Antivirus companies dealt with this change within a few days, so in the next variant the password appeared in a small graphic file, making it more difficult to scan.
The latest Bagle incarnation has done away with the attachment altogether and spreads when a vulnerable user opens the email using an unpatched version of Microsoft Outlook. If their Outlook preview pane is open, the victim's machine will be compromised automatically. Because of this change in tactics, experts fear the worm could spread very quickly.
Sophos's senior technology consultant, Graham Cluley, said: "This is a really sneaky, cunning trick. It's exploiting a five- or six-month-old Outlook security vulnerability so that just previewing an email - not the attachment - in an unpatched copy of Outlook will result in the virus being dragged from an infected machine to your machine. This has the potential to spread very quickly because so many people, particularly home users, have not applied the patches."
Mikko Hyppönen, director of antivirus research at F-Secure, said the latest variant uses a list of about 600 IP addresses, which all seem to be home computers connected to an ADSL service that have been infected by previous versions of Bagle. These "zombie" machines have been updated and are now used to send copies of the new worm to any computer on which the victim uses a vulnerable copy of Outlook to view an infected email message.
Outlook uses elements of Internet Explorer to render the HTML for its preview pane, so to avoid the new Bagle worms, users should apply a patch for Internet Explorer that Microsoft released in October 2003.
Munir Kotadia writes for ZDNet UK
Comments
There are 12 comments. Join the discussion
1. anonymous
Sophos's senior technology consultant, Graham Cluley, said: "This is a really sneaky, cunning trick. It's exploiting a five- or six-month-old Outlook security vulnerability so that just previewing an email - not the attachment - in an unpatched copy of Outlook will result in the virus being dragged from an infected machine to your machine. This has the potential to spread very quickly because so many people, particularly home users, have not applied the patches."
Uh isn't that more like a 5 or 6 YEAR old flaw in MS's OE? They've been told over and over again, to make the default option to make the user WANT to run code automaticly, before it is. Strange that this isn't the way it happens. Strange, or lazy. They came up with a patch, but it STILL allowed it, but they just made it so that 'known' executable extensions wouldn't run. Too bad screen savers are just EXEs. :P
2. anonymous
WHY CAN'T PEOPLE PUT THEIR KNOWLEDGE TO GOOD CAUSES RATHER THAN CREATE HAVOC FOR PEOPLE?
3. anonymous
Pity there's no link to the patch - otherwise this is a really useful virus notification service
4. anonymous
I agree, good service shame about the missing patch link.
5. anonymous
could you advise me how to find the patch to put it on my computer?
thanks
6. anonymous
Is Outlook Express also vulnerable?
Microsoft's bulletin MS03-040 on the vunerability gives equal prominance to Outlook and Outlook Express.
7. anonymous
so remind us all what the patch is and where it can be obtained...
8. anonymous
the patch...
I expect it could be found via IE, go to "Tools>Windows Update"!
9. anonymous
Yes, OE and Outlook both have this same flaw (mostly because they're 90% the same code). The easiest way to get the patch is to run "windowsupdate.microsoft.com", or to do a search for it on thier site.
10. anonymous
And the latest try - an email of a joke (and a half)with the entire text as a hotspot for a link
I dont know what the payload was - File SaveAS Txt gave me an almost empty file
11. Mark Carter
Microsft is truly an amazing company, isn't it. Executing files automatically from emails - I mean, who could think of a more dangerous vulnerabilty. And it's so obvious, too. I'm suprised that we don't see more of these types of viruses.
12. Naomi Thornhill
I hate the bagle! This article tells me how I managed to get it, but what it doesn't mention, and none of them do, is how/why the bagle has stopped me being able to send email. Help???