Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: [ISN] New Bagle Worm Variant Can Run Without Launching Attachment
- From: Howell, Paul
- Date: Fri Mar 19 12:17:39 2004
-----Original Message-----
From: owner-isn@attrition.org [mailto:owner-isn@attrition.org] On Behalf Of
InfoSec News
Sent: Friday, March 19, 2004 6:43 AM
To: isn@attrition.org
Subject: [ISN] New Bagle Worm Variant Can Run Without Launching Attachment
http://www.eweek.com/article2/0,1759,1550841,00.asp
By Larry Seltzer
March 18, 2004
A series of new variants of the prolific Bagle worm has raised alarms in the
security community through an innovative infection mechanism:
The e-mail message in which the variants arrive may have no file attachment,
and it's possible for a user to become infected without having to launch
one.
The message includes a Windows ActiveX control and uses a vulnerability
announced and patched by Microsoft Corp. in August and another problem from
last October. The most recent Cumulative Security Update for Internet
Explorer also includes a fix for the more recently discovered flaw.
The ActiveX control does not contain the actual worm, according to McAfee
Security. Instead, it creates and runs a VBScript on the system, which
downloads and executes the worm from one of a list of IP addresses.
According to McAfee, as of 06:45 PST on March 18, "The majority of the 590
IP addresses seen have been closed down. At the time of writing, 39 were
still responding."
Antivirus companies have become out of sync with each other with respect to
Bagle variants. Panda Software refers to the new ones as Bagle.P, Bagle.Q
and Bagle.R., with Bagle.Q as the most serious one.
Panda reports that the worm "infects PE files [which are standard Windows
.EXE programs], downloads a file from the Internet and ends processes
belonging to security applications." Kaspersky Labs Int.'s analysis of the
code says that the program attempts to infect PE files but fails to do so
due to an error in the code.
According to Trend Micro Inc.'s analysis of the worm, it also spreads
through the conventional e-mail attachment mechanism, as well as through
peer-to-peer networks and shared folders. Symantec Corp. calls the three
worms Beagle.R, Beagle.S and Beagle.T but did not have analysis ready for
them as of this story's posting.
The ActiveX infection mechanism requires that the e-mail client permit
ActiveX controls to run in HTML e-mail. Microsoft e-mail clients have
disallowed this feature by default for several years.
All of the major antivirus companies claim to have detection definitions
available for the worms. However, they haven't necessarily prepared
disinfection routines.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the
BODY of the mail.
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
