Bagle Worm Variant Slips Through Defenses

Containing scant text with the words "price" or "new price," Bagle.AQ-capable of bypassing some file filters and outbound firewall protections-includes infected Zip files that execute Trojans.

Another variant of the ubiquitous Bagle worm is now making its way across the Internet, flooding in-boxes with infected Zip files. The newest member of the Bagle family, named Bagle.AQ, arrives via an e-mail message with a spoofed sending address and no subject line. The only text in the message body is typically one or two words, either "price" or "new price."

The name of the infected Zip file that accompanies the message is some variation on that theme as well. The files often are named or, and may have a number appended to the end of the file name.

Bagle.AQ first appeared Monday and began circulating in earnest in the early afternoon Eastern time. Some users reported getting as many as 100 infected messages in an hour. Virus researchers said they first began seeing Bagle.AQ at about 8 a.m. Monday and have been seeing thousands of copies an hour.

/zimages/5/28571.gifClick here to read about a MyDoom variant that uses Yahoo People Search.

If a user opens the Zip file with an application such as Windows Internet Explorer that is not a standalone Zip file handler, the user will see an HTML file that contains exploit code. The file will then execute an included .exe file, which is a Trojan, according to McAfee Inc.s analysis. The Trojan then connects to a number of remote sites to download the actual viral code.

This new variant is one of the few worms or viruses known to download its viral payload remotely after it is already resident on a PC. It is not until the code is actually pulled down by the Trojan that Bagle.AQ begins trying to replicate itself by sending out e-mails.

Antivirus experts say the worm picked up a lot of momentum early Monday thanks to an aggressive spamming and seeding scheme employed by its author. They expect the worm to lose steam as time goes on and more and more of the remote servers hosting the viral code are shut down.

Vinny Gullotto, vice president of the AVERT team at McAfee in Santa Clara, Calif., said experts have closed down about half of the servers so far. Gullotto added that the worm uses a piece of JavaScript code that appears to be nearly three years old.

The worm also is capable of bypassing some file filters and outbound firewall protections, said Sam Curry, vice president of the eTrust security division at Computer Associates International Inc. in Islandia, N.Y. Because it can inject itself into the Explorer process space, the worms outgoing traffic will appear legitimate to most firewalls.

One sign of infection is that both TCP and UDP ports 2480 will be open on compromised machines.

Curry said CA has rated Bagle.AQ as a medium risk at this point, but will almost certainly up it to a high risk by the end of the day.

Editors Note: This story was updated to include more information about the worm.

/zimages/5/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.


Be sure to add our security news feed to your RSS newsreader or My Yahoo page: /zimages/5/19420.gif