Latest Bagle variant exploits MS hole

Four latest versions of the Bagle e-mail worm have appeared, and antivirus experts have warned that new techniques by the worm's...

Four latest versions of the Bagle e-mail worm have appeared, and antivirus experts have warned that new techniques by the worm's creator could make it harder to stop the worm variants.

Antivirus companies have issued software updates and alerts about Bagle.Q, R, S and T, which first appeared in January.

However, they do not carry file attachments containing the virus, instead, they use a months-old Microsoft Windows security hole to break into vulnerable machines.

"Just previewing a message in an e-mail client could download the virus to your computer," said Graham Cluley, senior technology consultant at Sophos.

The security hole used by the worm is known as the Internet Explorer Object Data Remote Execution vulnerability and concerns a problem with the way the Internet Explorer web browser interprets HTTP data.

The vulnerability, MS03-032, was patched by Microsoft last August. (

Previous versions of Bagle have shipped off copies of the virus as e-mail file attachments with Zip, EXE and SCR attachments.

Antivirus and antispam products can block the spread of such viruses by scanning incoming e-mail attachments, identifying the virus file by the name, size and other telltale characteristics. By foregoing file attachments, the Bagle author has made it easier to slip past security products, Cluley said.

Like its predecessors, the latest Bagle worms arrive in e-mail messages with fake sender addresses and vague subjects such as "Re: Hello", "Incoming message", "Site changes", and "Re: Hi".

When opened or previewed on unpatched Windows systems, the Bagle e-mail message first downloads a computer script with a PHP extension from one of a number of predefined web servers used by the virus author.

After it is downloaded, that script runs and downloads, then runs the actual worm file, said antivirus company F-Secure.

F-Secure researchers have passed the Internet Protocol (IP) addresses of machines that are hosting the virus file to authorities who are shutting them down, said according to Mikko Hyppönen, director of antivirus research at F-Secure.

The latest Bagle variants proved that the author is continuing to experiment with new techniques to trick security products, said Cluley.

"In the beginning there were regular attachments, then they switched to Zip files, then encrypted Zip files with passwords, then passwords stored in graphics files, and now this," he added.

The four latest variants are closely related and may indicate some tinkering with the worm's code to fix problems.

"There may be some bugs in the code that limited its success," Cluley said.

Antivirus companies said that the Bagle.Q variant, the first in the latest batch, is the most widespread. F-Secure-rated the Bagle.Q a Level 2 threat, indicating "large infections" within a specific region.

F-Secure has recorded infections in more than 20 countries from Bagle.Q.

Sophos has evidence of particularly heavy infections in South Korea.

Antivirus companies posted software updates to detect the latest Bagle variants. Computer users were also advised to apply the Microsoft patch, if they had not already done so, to protect against infection.

Paul Roberts writes for IDG News Service

Read more on IT risk management