New Bagle Opens Broad Attack

By Jay Munro  |  Posted 2004-08-10 Print this article Print

Those odd "" files you're getting contain a dangerous new virus. We'll tell you how to beat it.

What started as a dribble early on Monday became a fusillade of e-mail messages from countless senders, but all bearing Zip files containing the potentially malicious Bagle.AQmm (aka Bagle.AC) virus. While still only a medium alert on most virus watch sites, the speed with which the virus has spread and the amount of spam mail it has created frightened users and prompted IT departments to send out e-mails warning users not to open to Zip files. Here are the details on how to recognize and combat this new threat.

Name: W32/Bagle.AQ-mm
Affects: Windows XP/2000/NT/9x/Me/2003 Server What it does: Bagle.AQ is a mass mailing worm that spreads primarily by e-mail using an JavaScript exploit JS/IllWill, first seen in October 2001. When the HTML file is executed, it executes a companion .EXE file which infects the victims PC by downloading the actual worm code. When it infects, Bagle.AQ harvests e-mail addresses from the victims PC and sends copies of it using its own SMTP engine. The worm also installs a remote access component, opens a backdoor on port 2480, and notifies the attacker. Bagle.AQ attempts to remove registry keys, and stop processes associated with security and antivirus software. How to prevent it: Do not open attachments. Get the latest updates from your antivirus company. Use a firewall with port 2480 blocked. A mitigating factor may be that the JavaScript exploit has been detectable for several years, which may be caught before the worm can execute. How to remove it: At this writing, it is unconfirmed that all antivirus companies can detect and clean. McAfee VirusScan detected and cleaned on our test machine once it was infected, as did TrendMicro Housecall. Trend Micros online Housecall, or McAfees Stinger. Click here to read the full story, including instructions for removing Bagle.AQ manually, at Check out eWEEK.coms Security Center at for the latest security news, reviews and analysis.

Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel