Description:
At 10:08 AM on March 18, 2004 (CET), Trend Micro TrendLabs declared a medium risk alert for this new BAGLE variant. Unlike previous BAGLE varieties, this malware is a virus, capable of infecting files, and has a high damage and distribution potential.
BAGLE.Q propagates via email in two ways.
The first is by sending emails, which do not have an attachment. Instead it propagates immediately when the email is opened by a victim. It contains html in the message body, with a link, which upon opening the email, starts a series of events that eventually downloads a file infector into the system.
To perform this automatic chain the malicious code once again uses vulnerabilities related to the Microsoft operating system. Microsoft released patches that cover these vulnerabilities around 5 months ago.
The second is that the email may contain varying subjects, message bodies, and attachment file names, like its earlier variants.
David Kopp, Director of TrendLabs EMEA explains "It is now very clear that the NetSky and Bagle authors have begun a virus war. This accounts for the number of new variants of each virus we have recently been seeing.
Once again we see an evolution in the Bagle family. The authors began by developing a worm that spreads, subsequent variants used social engineering, password protected attachments and this new variant uses all the previous tricks plus infects files and uses system vulnerabilities.
This shows once again how important it is to follow the security patch releases from Software editors. Through this we see how the protection of a corporate network turns more and more to services rather than to product. The challenge is to help the security administrators with protection against these network viruses. We have already discovered three other variants that take advantage of these vulnerabilities Bagle.R, .S and .T
Virus writers know how difficult it is to patch all the computers of a corporate network and don't hesitate to use this weakness."
Trend Micro customers are protected from variant .Q, through the latest pattern file, number 827. TrendLabs are currently analysing variants .R, .S and .T, for which further information will be available shortly.
Customers of Outbreak Prevention Services should download OPP 96 to help protect against spread of this threat. For customers of Damage Cleanup Services, Damage Cleanup template # 292 should be downloaded to help with automated restoration of affected systems.
Other users should use Trend Micro's free online virus scanner, Housecall, which can be found at http://housecall.trendmicro.com/
For more information, please visit http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=58160&VName=PE_BAGLE.Q
# # #
About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: www.trendmicro.com.
Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners. Information is accurate time it was written and is subject to change without notice.