PSS Security Response Team Alert - New E-Mail Worm Variant: W32.Bagle@MM Q, R, S, T

Published: March 19, 2004

SEVERITY: MODERATE
DATE: March 19, 2004

Several new Beagle/Bagle variants (Q, R, S, T) are spreading in the wild. Unlike previous versions of Beagle/Bagle, these variants do not propagate through malicious attachments but instead seek to exploit a vulnerability in Internet Explorer for which a security update is available. Currently, our VIA partners are reporting these may be utilizing vulnerabilities addressed by MS03-032 or MS03-040. Installing either patch will block this vulnerability. These variants attempt to automatically download and execute malicious code from a web site without user intervention.

Customers who have applied the latest security update, MS04-004 are protected against attempts to automatically download and execute this malicious code without user intervention.

PRODUCTS AFFECTED: : Microsoft Outlook, Microsoft Outlook Express, and Web-based e-mail

IMPACT OF ATTACK: Mass Mailing

TECHNICAL DETAILS:

For additional details on this worm from antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA), please visit the following websites:

•

Computer Associates:

•	http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=38603
•	http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=38602
•	http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=38600
•	http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=38599

•

F-secure:

•	http://www.f-secure.com/v-descs/bagle_q.shtml

•

Global Hauri:

•	http://www.globalhauri.com/information/virus/search_virus.html?menu=QjAx

•

McAfee:

•	http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101112
•	http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101111
•	http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101109
•	http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101108

•

Norman:

•	http://www.norman.com/Virus/Virus_descriptions/14562/en-us
•	http://www.norman.com/Virus/Virus_descriptions/14561/en-us

•

Panda:

•	http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=45711&sind=0
•	http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=45706&sind=0
•	http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=45707&sind=0
•	http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=45705&sind=0

•

Sophos:

•	http://www.sophos.com/virusinfo/articles/bagletwist.html

•

Symantec:

•	http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.t@mm.html
•	http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.s@mm.html
•	http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.r@mm.html

•

Trend Micro:

•	http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.T
•	http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.S
•	http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.R
•	http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.Q

For more information on Microsoft’s Virus Information Alliance please visit this link:

•	http://www.microsoft.com/technet/security/alerts/info/via.mspx

Please contact your Antivirus Vendor for additional details on this virus.

PREVENTION:

Installing The latest IE Security Patch will block this virus from running automatically:

•

MS04-004

The following precautions can help prevent & mitigate many types of e-mail viruses as well.Outlook 2000 post SP2 and Outlook XP SP1 include the most recent updates to improve the security in Outlook and other Office programs. This includes the functionality to block potentially harmful attachment types. If you are running either of these versions, they will (by default) block the attachment, and you will be unable to open it. To ensure you are using the latest version of Office click here:

•	http://office.microsoft.com/ProductUpdates/default.aspx

By default, Outlook 2000 before SP2 and Outlook 98 did not include this functionality, but it can be obtained by installing the Outlook E-mail Security Update. More information about the Outlook E-mail Security Update can be found here:

•	http://office.microsoft.com/Downloads/2000/Out2ksec.aspx

Outlook Express 6 can be configured to block access to potentially-damaging attachments. Information about how to configure this can be found here:

•	http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291387

Previous versions of Outlook Express do not contain attachment-blocking functionality. Please exercise extreme caution when opening unsolicited e-mail messages with attachments.

Web-based e-mail programs: Use of a program-level firewall can protect you from being infected with this virus through Web-based e-mail programs.

RECOVERY:

If your computer has been infected with this virus, please contact your preferred antivirus vendor or Microsoft Product Support Services for assistance with removing it.

PSS Security Response Team

Top of page