Latest Bagle worm both nasty and sneaky

Subject: Latest Bagle worm both nasty and sneaky
From: Gary Stoneburner <gary.stoneburner@nist.gov>
Date: Fri, 19 Mar 2004 13:02:20 -0500
Content-Type: multipart/alternative; boundary="=====================_184272484==.ALT"

re: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci955907,00.html

"A new Bagle variant has surfaced using a novel technique to propogate. Rather than attach itself to an e-mail, the worm uses a URL in the message to download the malicious code."

"... Specifically, it exploits the object tag vulnerability in popup windows in Microsoft Outlook."

"The worm sends out HTML e-mails containing a URL that automatically downloads an .html file, which then drops a Visual Basic script. That script actually downloads the Bagle-Q file via an HTTP request to TCP port 81 on the system that sent the worm. The worm is saved as "directs.exe" in the system folder."

"... It terminates a range of security applications including antivirus scanners and personal firewalls. It also makes several copies of itself with enticing names in folders containing "shar" so systems involved with peer-to-peer sharing would download the worm. For example, the worm copies itself as "Adobe Photoshop 9 full.exe," " Matrix 3 Revolution English Subtitles.exe" or "Windows Sourcecode update.doc.exe." The worm also tries to append itself to executable files on infected systems. The variant also opens a backdoor on infected systems. It listens on TCP port 2556 for instructions from the attacker, who has full control over the compromised system, according to an advisory from F-Secure."

I continue to be thankful that I am not using Outlook!

Cheers anyway,
Gary

************************************************************************** * Opinions expressed are not intended to reflect an official position ************************************************************************** * Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
* http://csrc.nist.gov/staff/stoneburner/gshome.html
**************************************************************************

Prev by Date: Report: Zero-Day exploits are nearing
Next by Date: Bug hunters go open source
Prev by thread: Bug hunters go open source
Next by thread: Report: Zero-Day exploits are nearing

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov