A new variant of the now infamous Bagle virus has been released, Bagle-Q.
There is something rather special about this one however as the virus itself doesn't arrive by email.
As per usual, infected machines send emails to all the contact addresses it can find on the infected PC. The email it sends however, doesn't include the virus but instead includes some malicious hidden code within the body of the email.
The hidden code exploits a five-month old critical vulnerability in popular email application Outlook.
The malicious code is automatically run as soon as the email is opened, or even previewed. The malicious code then instructs Outlook to connect to the infected computer that originally sent the email and to download and run the virus from there.
This method of infection is both new and unique.
The email that downloads the virus has been given the term "carrier" as it carries instructions for the computer on what to do.
If your PC were to become infected, the virus has the power to stop some anti-virus applications from running, it also has the ability to stop software firewalls running and other security software that may be installed.
Bagle-Q will also try to spread over file sharing networks.
We spoke to Graham Cluley, Senior Technology Consultant for Sophos this morning who told us,
"As the UK comes into work this morning there's a real danger that these Bagle worms will take off - we've already had a high number of reports from other parts of the world - particularly Korea, which is known for its uptake and use of technology. Exploiting a security loophole in the popular Microsoft Outlook email client means these worms have the potential to hit hard. Both home and business computer users need to make sure they are patched against all vulnerabilities."
Graham continued,
"Bagle is a wake up call about the need for holistic security. By keeping on top of security patches, anti-virus software updates and ensuring firewalls are properly installed, users can lessen their chances of getting hit. If you don't patch yourself against these kind of threats, you shouldn't be surprised if a worm bites you in the backside."
I.T. Managers and systems administrators can take some steps to prevent the spreading of Bagle-Q from infected machines.
The danger of Bagle-Q can be mitigated not only by updating anti-virus products but by blocking connections to TCP port 81 through your network firewall. This port is unlikely to be required for any real services.
Blocking outbound port 81 connections stops computers on your network from downloading the worm from outside. Blocking port 81 inbound means that even if you do get infected you will not pass the virus on to others outside of your own network.
UPDATE: Bagle-R variant released
|
|
Reader Comments: 0
