 |
 Bagle incarnations gonna run out of the alphabet letters
March 19, 2004
Four new versions of Bagle worm, Bagle Q,R,S and T, that exploit an old Outlook flaw to spread even more quickly have recently appeared in the wild, giving the old Trojan technology a new lease of life.
Users no longer have to open an attachment to spread the Bagle virus because the latest variants are exploiting an old flaw in Microsoft Outlook that allows the worm to automatically infect the victim's computer.
As we all remember, earlier versions of Bagle required users to click on an attachment to activate the worm. However, these attachments were easily spotted by antivirus programs and eliminated. To pass the antivirus software perimeter defence, the next batch of Bagles was sent with the attached encrypted Zip file, with the password to open the file contained in the e-mail's text. Antiviruses dealt with this change within a few days, so in the next variant the password appeared in a small graphic file, just as they do in ordinary spam mails.
The latest Bagle incarnation has done away with the attachment altogether and spreads when a user opens the e-mail using an old version of Microsoft Outlook. If the victim's Outlook preview pane is open, the machine is compromised automatically. Experts say that the change of tactics may result in significant increase of the worm spreading speed.
"This is a really sneaky, cunning trick. It's exploiting a five- or six-month-old Outlook security vulnerability so that just previewing an e-mail--not the attachment--in an unpatched copy of Outlook will result in the virus being dragged from an infected machine to your machine. This has the potential to spread very quickly because so many people, particularly home users, have not applied the patches.", said Graham Cluley, senior technology consultant at Sophos.
Outlook uses elements of Internet Explorer to render the HTML for its preview pane, so to avoid the new Bagle worms, users should apply a patch for Internet Explorer that were released in October 2003.
New Bagle viruses are not the only problem brewing for Windows users. A new iteration of a Trojan horse with an unusually comprehensive set of features has also appeared.
Phatbot a powerful piece of malware that opens a back door on a computer and connects to its own peer-to-peer network of infected machines. Once a computer is infected and connected to this network, the author of Phatbot has complete control over the computer and can use it for any number of malicious tasks.
This is especially dangerous now, because Phatbot can reuse the backdoors open by MyDoom, Bagle and NetSky, which makes the Trojan even more dangerous.
Security analysts say, however, that Phatbot can be dealt with by regular antivirus software and users should regularly update their protection tools to prevent infiltration.
|
|
