The Bagle deluge continues with new additions to this rapidly growing family of mass-mailers
In addition to W32/Bagle.Q@mm that was discovered this morning, three new Bagle variants (R, S and T) have emerged in the course of the day. These variants are similar to Bagle.Q (see below).
W32/Bagle.Q@mm, the newest member of the Bagle family of mass-mailing worms, was first discovered early on 18 March 2004. Bagle.Q takes advantage of a security flaw in Microsoft Internet Explorer that was reported in Microsoft Security Bulletin MS03-040 on 3 October 2003 and against which users can patch by using the updates found in Microsoft Knowledge Base Article 828750. Note that Outlook and Outlook Express use Internet Explorer to render HTML-based e-mail messages so the security flaw applies indirectly to those products as well.
Bagle.Q is a mass-mailer that spreads by harvesting e-mail addresses from the infected computer's hard drive and sends e-mails with falsified FROM: addresses to these harvested addresses, using its own SMTP engine. The worm also attempts to spread via file-sharing sites by copying itself to folders with "shar" in their names.
This newest variant differs from its predecessors in that it does not send itself as a binary attachment via e-mail. Instead, it sends out e-mail that takes advantage of the vulnerability mentioned above by launching a Visual Basic script that causes Outlook and Outlook Express to download the worm from the remote site.
Users are advised to update their virus signature files and make sure they have the latest versions of F-Prot Antivirus installed on their computers. Users should also make sure that they have patched against the vulnerability reported in Microsoft Security Bulletin MS03-040 [KB828750].
After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.
For more information on this worm and disinfection please visit our virus information section.
The latest versions of F-Prot Antivirus detect W32/Bagle.Q@mm using virus signature files dated 18 March 2004 or later.