A new variant of the Bagle Internet worm is 'tricking` gateway scans by sending a blank e-mail which then downloads the worm from the Internet.
Brett Myroff, CEO of local Sophos distributor Netxactics, says the new worm, Bagle.Q, is "highly unusual".
"The worm spreads with the help of a carrier e-mail that does not have the worm as an attachment. Instead, the e-mail exploits a vulnerability on Microsoft Outlook to go through Port 81 and automatically download the worm from the Internet."
The downloaded copy of W32/Bagle.Q is then placed in the infected PC system`s folder with the name "directs.exe". It terminates a wide range of security applications and makes multiple copies of itself into folders that are likely to be part of a file-sharing network.
Myroff says Bagle.Q was first discovered late yesterday. Its carrier e-mail spoofs the sender`s name and has a subject line such as "text message". The message field is blank.
Myroff says it proves that virus writers are becoming "sneakier".
"This proves that a complete anti-virus solution is critical to business. You can`t just rely on gateway scanning anymore," he says.
Sophos says in its alert this morning: "The danger of W32/Bagle-Q can be mitigated not only by updating Sophos Anti-Virus but by blocking connections to TCP port 81 through your network firewall. (This port is unlikely to be required for any real services.)
"Blocking outbound port 81 connections stops computers on your network from downloading the worm from outside. Blocking port 81 inbound means that even if you do get infected, you will not pass the virus on to others."
Sophos adds that users should also apply the latest Internet Explorer/Outlook Express patches from Microsoft. The vulnerability used by W32/Bagle-Q is described in the Microsoft Security Bulletin MS03-040 and is referred to as the "Object Tag vulnerability in Popup Window".
Share
