Bagle Worm Variant Slips Through Defenses | eWeek

Bagle Worm Variant Slips Through Defenses

Écrit par
Dennis Fisher
Dennis Fisher
Aug 9, 2004
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Another variant of the ubiquitous Bagle worm is now making its way across the Internet, flooding in-boxes with infected Zip files. The newest member of the Bagle family, named Bagle.AQ, arrives via an e-mail message with a spoofed sending address and no subject line. The only text in the message body is typically one or two words, either “price” or “new price.”

The name of the infected Zip file that accompanies the message is some variation on that theme as well. The files often are named Price.zip or New_price.zip, and may have a number appended to the end of the file name.

Bagle.AQ first appeared Monday and began circulating in earnest in the early afternoon Eastern time. Some users reported getting as many as 100 infected messages in an hour. Virus researchers said they first began seeing Bagle.AQ at about 8 a.m. Monday and have been seeing thousands of copies an hour.

/zimages/5/28571.gifClick hereto read about a MyDoom variant that uses Yahoo People Search.

If a user opens the Zip file with an application such as Windows Internet Explorer that is not a standalone Zip file handler, the user will see an HTML file that contains exploit code. The file will then execute an included .exe file, which is a Trojan, according to McAfee Inc.s analysis. The Trojan then connects to a number of remote sites to download the actual viral code.

This new variant is one of the few worms or viruses known to download its viral payload remotely after it is already resident on a PC. It is not until the code is actually pulled down by the Trojan that Bagle.AQ begins trying to replicate itself by sending out e-mails.

Antivirus experts say the worm picked up a lot of momentum early Monday thanks to an aggressive spamming and seeding scheme employed by its author. They expect the worm to lose steam as time goes on and more and more of the remote servers hosting the viral code are shut down.

Vinny Gullotto, vice president of the AVERT team at McAfee in Santa Clara, Calif., said experts have closed down about half of the servers so far. Gullotto added that the worm uses a piece of JavaScript code that appears to be nearly three years old.

The worm also is capable of bypassing some file filters and outbound firewall protections, said Sam Curry, vice president of the eTrust security division at Computer Associates International Inc. in Islandia, N.Y. Because it can inject itself into the Explorer process space, the worms outgoing traffic will appear legitimate to most firewalls.

One sign of infection is that both TCP and UDP ports 2480 will be open on compromised machines.

Curry said CA has rated Bagle.AQ as a medium risk at this point, but will almost certainly up it to a high risk by the end of the day.

Editors Note: This story was updated to include more information about the worm.

/zimages/5/28571.gifCheck outeWEEK.coms Security Centerat http://security.eweek.com for security news, views and analysis.

/zimages/5/77042.gif

Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:/zimages/5/19420.gifhttp://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.