Jump to content



Recommended Posts

Vicious Worm Infects Without Attachment

Fri Mar 19, 3:38 PM ET Add Technology - NewsFactor to My Yahoo!

James Maguire, www.enterprise-security-today.com

A handful of Bagle worm variants are attacking Windows users with an insidious new twist: They can infect computers without tricking them into opening a file attachment -- opening an e-mail is all it takes.

The passel of new worms sport a virtual alphabet soup of labels: "Bagle.q," "Bagle.r," "Bagle.s" and "Bagle.t." Some security firms have dubbed the new variants "beagle." They are mutations of the original Bagle worm first discovered in January.

Bagle exploits a flaw in Outlook, revealed in October of 2003, that allows a hacker to upload and execute a file on a user's PC without that user opening the file. Microsoft (Nasdaq: MSFT - news) has issued a patch for the flaw in October, but users who have not updated their systems with this patch are at risk.

"This steps up the game," Sophos security analyst Chris Belthoff told NewsFactor. "The education part of protecting against viruses -- 'Don't click open attachments' -- got thrown out the window with these variants."

Two-Step Process

The e-mails carrying the new Bagle variants do not have attachments. Experts speculate that the virus writers developed this non-attachment technique to bypass a common firewall technique called "gateway scanning," which intercepts any e-mail with an attachment.

When a user open an e-mail carrying one of these new Bagle variants, the e-mail "goes back out to the Internet and tries to find a certain server that has the Bagle executable on it and bring it down through HTTP," Belthoff said.

This is a two-step process, he explained. First, the carrier e-mail connects though Port 81 to the host server, and opens up a maliciously coded HTML file. Then, a visual basic script (VBS) file is sent to the victim's machine, which connects to the same server and downloads the virus via HTTP.

"That shouldn't be allowed to happen," Belthoff said. "Opening an e-mail doesn't give some remote machine the authority to drop down a VBS script onto your system. The vulnerability allows that to happen."

If a user's machine is properly patched, Bagle poses no threat, he said.

One-Upmanship Game

There have been so many variations on the original Bagle worm that some security experts speculate that virus writers are playing a game of one-upmanship as they create and spread new mutations.

"There have actually been messages between the virus writers embedded within the viruses," Neel Mehta, Internet Security Systems (Nasdaq: ISSX - news) research engineer, told NewsFactor. "The authors of Netsky, Bagle and MyDoom are really at each other's throats trying to create more viruses and outdo each other.

"It's having a horrible impact on the end-users who are the target of these attacks."

Disabling Firewalls

Like earlier versions of Bagle, the new variations disable many firewall and antivirus applications, a technique that has become common among virus writers. They also spread like the original Bagle, by resending themselves to all addresses found on a user's hard drive, disguising the return address of the e-mail to conceal the identity of the infected machine.

The mass-mailed worm uses a broad array of typical spam-virus subject lines, such as "Fax message received" and "account notify."

P2P Networks

The Bagle virus is coded to survive and propagate rather than delete files, as some worms do. "They are not generally destructive, but they put a huge load on e-mail servers, they cause outages, and there's a cost associated with un-infection," Mehta said.

Bagle infects every .exe file on a victim's system, meaning it lurks stubbornly even on apparently cleaned systems. The worms will keep hundreds of software programs from running, and they deactivate configuration applications, such as regedit and msconfig, that are used to delete viruses.

Bagle places itself -- with a variety of invented file names -- in folders that are commonly used for file-swapping. So, a large P2P network like Kazaa becomes an effective tool for mass propagation.

Link to comment
Share on other sites


Technology - washingtonpost.com

'Witty' Worm Wrecks Computers

Sat Mar 20, 7:16 PM ET

Add Technology - washingtonpost.com to My Yahoo!

By Brian Krebs, washingtonpost.com Staff Writer

A quickly spreading Internet worm destroyed or damaged tens of thousands of personal computers worldwide Saturday morning by exploiting a security flaw in a firewall program designed to protect PCs from online threats, computer experts said.

? Chipping Away at China's Trade Policy

? Microsoft Is Facing Long-Term Adjustment

? Personal Tech: Reviews and Features

? Today in photos

Search news on


The "Witty" worm writes random data onto the hard drives of computers equipped with the Black Ice and Real Secure Internet firewall products, causing the drives to fail and making it impossible to restart the PCs. Unlike many recent worms that arrive as e-mail attachments, it spreads automatically to vulnerable computers without any action on the part of the user.

At least 50,000 computers have been infected so far, according to Reston, Va.-based computer security firm iDefense and the Bethesda, Md.-based SANS Institute.

The firewalls were developed by Atlanta-based Internet Security Systems. Chris Rouland, vice president of the company's X-Force research and development division, said that as many as 32,000 corporate computers could be infected. The company does not know how many home users are infected. ISS released a patch and a detailed writeup of the affected products.

Most infected computers will have to be rebuilt from scratch unless their owners instead decide to buy new ones, said Ken Dunham, a computer security expert at iDefense.

"The thing looks like it will corrupt or crash most drives enough so that reinstallation is going to be required," he said. "This is a very destructive worm."

Officials at the Department of Homeland Security, which is in charge of the government's cybersecurity efforts, were unavailable for comment.

Internet worms, viruses and other malignant software often install software or open "back doors" that allow hackers to control infected computers. That often gives them access to private data that people keep on their computers, and allows them to use those computers to send out e-mail spam that cannot be traced back to its real owner. The Witty worm is different and in some respects more destructive because it renders the computer useless.

Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, said that the worm does not create files on infected computers so most antivirus software will not detect it.

Security vulnerability research firm eEye Digital Security identified the flaw last Wednesday. The Aliso Viejo, Calif.-based company discovered that it could trick some versions of Black Ice and Real Secure into processing Internet traffic that would allow attackers to transfer dangerous data to vulnerable computers.

The Witty worm gets its moniker from a message buried within its code that says: "insert witty message here." That comes just before the code that overwrites the infected hard drives.

Joe Stewart, a senior security researcher at Chicago-based security services company Lurhq, said he expects the worm to die out over the next few hours as vulnerable computers quickly become useless hosts.

"With all these hard drive problems, the infection rates are going to shrink pretty quickly as all these affected machines grind themselves to a halt," Stewart said

Link to comment
Share on other sites

I don't use XP (windows 98), but in the last week I have been subjected to a few worms/dialers/trojans/hijackers etc.

One I know was through an email.

I got Zone alarm pro 4 now,hopefully it does the trick,my norton wasn't picking alot of these up at first,but was picking some up on boot up and quarrenting them.

I've done two or moree scans a day since having Zone alarm installed and so far I have been clean of any of the above noted problems,although I have read alot of bad stuff about this program,somthing about WINSOCK errors?

You know anything about this program and its effect on WINSOCK Steve?

All the time I have had a computer (almost 2 years) I have not gotten a virus,until about three weeks back...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...