WARNING: Vicious Worm Infects Without Attachment

Ezliving_Jim · 03-20-2004, 10:34 PM

Vicious Worm Infects Without Attachment

"This steps up the game," says Sophos security analyst Chris Belthoff. "The education part of protecting against viruses -- 'Don't click open attachments' -- got thrown out the window with these variants."

A handful of Bagle worm variants are attacking Windows users with an insidious new twist: They can infect computers without tricking them into opening a file attachment -- opening an e-mail is all it takes.

The passel of new worms sport a virtual alphabet soup of labels: "Bagle.q," "Bagle.r," "Bagle.s" and "Bagle.t." Some security firms have dubbed the new variants "beagle." They are mutations of the original Bagle worm first discovered in January.

Bagle exploits a flaw in Outlook, revealed in October of 2003, that allows a hacker to upload and execute a file on a user's PC without that user opening the file. Microsoft has issued a patch for the flaw in October, but users who have not updated their systems with this patch are at risk.

"This steps up the game," Sophos security analyst Chris Belthoff told NewsFactor. "The education part of protecting against viruses -- 'Don't click open attachments' -- got thrown out the window with these variants."

Two-Step Process

The e-mails carrying the new Bagle variants do not have attachments. Experts speculate that the virus writers developed this non-attachment technique to bypass a common firewall technique called "gateway scanning," which intercepts any e-mail with an attachment.

When a user open an e-mail carrying one of these new Bagle variants, the e-mail "goes back out to the Internet and tries to find a certain server that has the Bagle executable on it and bring it down through HTTP," Belthoff said.

This is a two-step process, he explained. First, the carrier e-mail connects though Port 81 to the host server, and opens up a maliciously coded HTML file. Then, a visual basic script (VBS) file is sent to the victim's machine, which connects to the same server and downloads the virus via HTTP.

"That shouldn't be allowed to happen," Belthoff said. "Opening an e-mail doesn't give some remote machine the authority to drop down a VBS script onto your system. The vulnerability allows that to happen."

If a user's machine is properly patched, Bagle poses no threat, he said.

One-Upmanship Game

There have been so many variations on the original Bagle worm that some security experts speculate that virus writers are playing a game of one-upmanship as they create and spread new mutations.

"There have actually been messages between the virus writers embedded within the viruses," Neel Mehta, Internet Security Systems research engineer, told NewsFactor. "The authors of Netsky, Bagle and MyDoom are really at each other's throats trying to create more viruses and outdo each other.

"It's having a horrible impact on the end-users who are the target of these attacks."

Disabling Firewalls

Like earlier versions of Bagle, the new variations disable many firewall and antivirus applications, a technique that has become common among virus writers. They also spread like the original Bagle, by resending themselves to all addresses found on a user's hard drive, disguising the return address of the e-mail to conceal the identity of the infected machine.

The mass-mailed worm uses a broad array of typical spam-virus subject lines, such as "Fax message received" and "account notify."

P2P Networks

The Bagle virus is coded to survive and propagate rather than delete files, as some worms do. "They are not generally destructive, but they put a huge load on e-mail servers, they cause outages, and there's a cost associated with un-infection," Mehta said.

Bagle infects every .exe file on a victim's system, meaning it lurks stubbornly even on apparently cleaned systems. The worms will keep hundreds of software programs from running, and they deactivate configuration applications, such as regedit and msconfig, that are used to delete viruses.

Bagle places itself -- with a variety of invented file names -- in folders that are commonly used for file-swapping. So, a large P2P network like Kazaa becomes an effective tool for mass propagation.

By James Maguire
Enterprise Security Today
March 19, 2004 11:17AM

Source.

pam · 03-21-2004, 08:30 AM

Jim, Thanks for keeping us informed of these things!
Pam

03-20-2004, 10:34 PM	#1 (permalink)
Ezliving_Jim I love Derf!! Join Date: Mar 12 2002 Location: Virtual Reality Posts: 2,423 Rep Power: 10	Vicious Worm Infects Without Attachment "This steps up the game," says Sophos security analyst Chris Belthoff. "The education part of protecting against viruses -- 'Don't click open attachments' -- got thrown out the window with these variants." A handful of Bagle worm variants are attacking Windows users with an insidious new twist: They can infect computers without tricking them into opening a file attachment -- opening an e-mail is all it takes. The passel of new worms sport a virtual alphabet soup of labels: "Bagle.q," "Bagle.r," "Bagle.s" and "Bagle.t." Some security firms have dubbed the new variants "beagle." They are mutations of the original Bagle worm first discovered in January. Bagle exploits a flaw in Outlook, revealed in October of 2003, that allows a hacker to upload and execute a file on a user's PC without that user opening the file. Microsoft has issued a patch for the flaw in October, but users who have not updated their systems with this patch are at risk. "This steps up the game," Sophos security analyst Chris Belthoff told NewsFactor. "The education part of protecting against viruses -- 'Don't click open attachments' -- got thrown out the window with these variants." Two-Step Process The e-mails carrying the new Bagle variants do not have attachments. Experts speculate that the virus writers developed this non-attachment technique to bypass a common firewall technique called "gateway scanning," which intercepts any e-mail with an attachment. When a user open an e-mail carrying one of these new Bagle variants, the e-mail "goes back out to the Internet and tries to find a certain server that has the Bagle executable on it and bring it down through HTTP," Belthoff said. This is a two-step process, he explained. First, the carrier e-mail connects though Port 81 to the host server, and opens up a maliciously coded HTML file. Then, a visual basic script (VBS) file is sent to the victim's machine, which connects to the same server and downloads the virus via HTTP. "That shouldn't be allowed to happen," Belthoff said. "Opening an e-mail doesn't give some remote machine the authority to drop down a VBS script onto your system. The vulnerability allows that to happen." If a user's machine is properly patched, Bagle poses no threat, he said. One-Upmanship Game There have been so many variations on the original Bagle worm that some security experts speculate that virus writers are playing a game of one-upmanship as they create and spread new mutations. "There have actually been messages between the virus writers embedded within the viruses," Neel Mehta, Internet Security Systems research engineer, told NewsFactor. "The authors of Netsky, Bagle and MyDoom are really at each other's throats trying to create more viruses and outdo each other. "It's having a horrible impact on the end-users who are the target of these attacks." Disabling Firewalls Like earlier versions of Bagle, the new variations disable many firewall and antivirus applications, a technique that has become common among virus writers. They also spread like the original Bagle, by resending themselves to all addresses found on a user's hard drive, disguising the return address of the e-mail to conceal the identity of the infected machine. The mass-mailed worm uses a broad array of typical spam-virus subject lines, such as "Fax message received" and "account notify." P2P Networks The Bagle virus is coded to survive and propagate rather than delete files, as some worms do. "They are not generally destructive, but they put a huge load on e-mail servers, they cause outages, and there's a cost associated with un-infection," Mehta said. Bagle infects every .exe file on a victim's system, meaning it lurks stubbornly even on apparently cleaned systems. The worms will keep hundreds of software programs from running, and they deactivate configuration applications, such as regedit and msconfig, that are used to delete viruses. Bagle places itself -- with a variety of invented file names -- in folders that are commonly used for file-swapping. So, a large P2P network like Kazaa becomes an effective tool for mass propagation. By James Maguire Enterprise Security Today March 19, 2004 11:17AM Source.

03-21-2004, 08:30 AM	#2 (permalink)
pam Police Department Join Date: Oct 29 2001 Location: USA Posts: 5,036 Rep Power: 10	Jim, Thanks for keeping us informed of these things! Pam

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)