The Bagle deluge continues with new additions to this rapidly growing family of mass-mailers

18 March 2004

In addition to W32/Bagle.Q@mm that was discovered this morning, three new Bagle variants (R, S and T) have emerged in the course of the day. These variants are similar to Bagle.Q (see below).


W32/Bagle.Q@mm, the newest member of the Bagle family of mass-mailing worms, was first discovered early on 18 March 2004. Bagle.Q takes advantage of a security flaw in Microsoft Internet Explorer that was reported in Microsoft Security Bulletin MS03-040 on 3 October 2003 and against which users can patch by using the updates found in Microsoft Knowledge Base Article 828750. Note that Outlook and Outlook Express use Internet Explorer to render HTML-based e-mail messages so the security flaw applies indirectly to those products as well.

Bagle.Q is a mass-mailer that spreads by harvesting e-mail addresses from the infected computer's hard drive and sends e-mails with falsified FROM: addresses to these harvested addresses, using its own SMTP engine. The worm also attempts to spread via file-sharing sites by copying itself to folders with "shar" in their names.

This newest variant differs from its predecessors in that it does not send itself as a binary attachment via e-mail. Instead, it sends out e-mail that takes advantage of the vulnerability mentioned above by launching a Visual Basic script that causes Outlook and Outlook Express to download the worm from the remote site.

Recommended Reactions

Users are advised to update their virus signature files and make sure they have the latest versions of F-Prot Antivirus installed on their computers. Users should also make sure that they have patched against the vulnerability reported in Microsoft Security Bulletin MS03-040 [KB828750].

After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.

For more information on this worm and disinfection please visit our virus information section.

Threat Detection

The latest versions of F-Prot Antivirus detect W32/Bagle.Q@mm using virus signature files dated 18 March 2004 or later.

Commtouch® is a leading developer of anti virus software and anti spam filtering services. Commtouch's anti virus computer software, F-PROT Antivirus, is available for a number of operating systems such as Windows, Linux, BSD, Solaris, and AIX as well as the Microsoft Exchange groupware.

2014 © CYREN · Privacy Statement