New Bagle Worm Infects Without File Attachments

A new round of Bagle worms blitzed the Internet Thursday, and takes advantage of a five-month-old vulnerability in Internet Explorer that let them infect computers without having to convince users to open a file attachment.

Bagle.q -- which was quickly followed by three variants, dubbed Bagle.r, Bagle.s, and Bagle.t -- follows in the footsteps of earlier editions of the persistent, pernicious worm by arriving as e-mail, opening a backdoor to the system so it can be re-infected or loaded with other malicious code, and attaching itself to executable files found on the hard drive to make it even more difficult to dislodge.

The big difference in this newest Bagle wave, said security experts, is that it can infect unpatched PCs without the usual file attachment.

If the message arrives on a machine that's not been patched against the Internet Explorer Object Data Remote Execution vulnerability -- disclosed in early October, 2003 -- Outlook and Outlook Express users who simply open or view the e-mail are automatically infected.

This same vulnerability was exploited in attacks in the fall of 2003."The latest wave of Bagle attacks reveals a significant update," said Ken Dunham, director of malicious code research for iDefense, in an e-mailed statement. "It appears that the authors have now migrated to a new method for spreading their worm in the wild, an auto-execute vulnerability against [Internet Explorer]."

Like their immediate predecessors, Bagle.q, Bagle.r, Bagle.s, and Bagle.t also disable a huge number of anti-virus and firewall programs, another tactic hackers have used to slip by defenses.

Dunham said that activity on the ports that these new Bagle worms leave open -- port 2556 for Bagle.q and Bagle.r; backdoor ports for the others have not yet been confirmed -- has been on the upswing over the past 24 hours. "It appears that multiple commands are being issued to infected Bagle computers," he said. "There's more going on here than meets the eye at first glance." Among the possible explanations offered by Dunham: the Bagle authors are trying to update their array of already-infected computers.

"The war of worms has just gotten worse," Dunham said. "It looks like we're in for a very busy malicious code scene for 2004. E-mail worms are almost becoming as common as spam in some situations."

Users who haven't already patched IE, should do so immediately. "If you don't patch yourself against these kind of threats, you shouldn't be surprised if a worm bites you on the backside," said Graham Cluley, senior technology consultant at Sophos, a U.K.-based anti-virus firm.The patch for the IE vulnerability is available here for versions 5.01, 5.5, 6.0, and 6.0 for Windows Server 2003 of the Microsoft Web browser.

For the moment, most anti-virus firms have assigned the new Bagles with relatively low threat levels. Symantec, for instance, tagged all four with a "2" in its 1 through 5 scale. Rival Network Associates, meanwhile, labeled the quartet as a "low" threat. Trend Micro and Panda Software, however, marked Bagle.q as a more significant "medium" and "moderate" threat, respectively.