Sophos, a world leader in protecting businesses against viruses and
spam, is warning of a new twist in the Bagle virus saga. Two new
variants,
W32/Bagle-Q and
W32/Bagle-R, use a
different method of infection in an attempt to bypass anti-virus
protection at the email gateway.
Unlike most email viruses, the two new Bagle worms do not carry
email attachments, making them difficult to spot. Infected messages
have a random subject line chosen from the following list:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
Re: Incoming Fax
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Request response
Site changes
Re: Hi
Encrypted document
If a user opens the message - and their version of Microsoft
Outlook has not been patched against a five-month old critical
vulnerability - malicious code is automatically downloaded.
Once installed, the worms halt a wide range of security
applications, potentially opening up your computer to further virus
or hacker attack. The worm will also attempt to spread via
file-sharing networks and infect other executable files.
"All computer users should be wary of this worm - we've already
had reports from some parts of the world - particularly Korea,
which is known for its uptake and use of technology," said Graham
Cluley, senior technology consultant at Sophos. "Exploiting a
security loophole in the popular Microsoft Outlook email system
means these worms have the potential to hit hard. Both home and
business computer users need to make sure they are patched against
all vulnerabilities."
To prevent infection, Sophos recommends that users update their
anti-virus software against the latest threats. Users should also
patch against all security vulnerabilities.
Businesses can also protect themselves at their firewall,
preventing computers on their network from downloading the worm
from outside.
"Bagle is a wake up call about the need for holistic security.
By keeping on top of security patches, anti-virus software updates
and ensuring firewalls are properly installed, users can lessen
their chances of getting hit," continued Cluley. "If you don't
patch yourself against these kind of threats, you shouldn't be
surprised if a worm bites you on the backside".
The patch against the Microsoft Outlook security vulnerability
can be found at www.microsoft.com/technet/security/bulletin/MS03-040.mspx.
Home users of Microsoft Windows can visit windowsupdate.microsoft.com to have their systems
scanned for Microsoft security vulnerabilities.
Sophos recommends the following precautions against the
W32/Bagle-Q and W32/Bagle-R worms:
- Get and apply the latest Internet Explorer/Outlook Express
patches from Microsoft. This prevents the automatic download of the
virus.
- Disallow connections to TCP port 81 through your network
firewall. Blocking outbound port 81 connections stops computers on
your network from downloading the worm from outside. Blocking
inbound port 81 connections means that even if you do get infected
you will not pass the virus on to others.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.