NTA Monitor

Latest News

60% of UK website tests revealed Internet encryption and cross-site scripting vulnerabilities

10th April 2008 60% of web application tests performed for UK organisations showed that their websites contain weak encryption or cross-site scripting (XSS) vulnerabilities Read More

Demilitarised Zone most secure option for BlackBerry device

28th February 2008 Recent BlackBerry testing by IT security consultancy, NTA Monitor, has revealed that organisations are still not configuring these mobile devices correctly Read More

Retailers should put security top of their Christmas list

13th November 2007 With British consumers spending more than £6.6 billion online in the last two months of last year, the 2007 festive season is set to be one of great cheer for online retailers Read More

Businesses warned not to have skeletons in cupboards

13th November 2007 For many organisations, the festive season is an opportunity to heave a corporate sigh of relief and enjoy the brief respite in frenetic business activity as countless people all over the world, go home to celebrate Christmas Read More
Date: 30th September 2004
Risk: Medium

Another variant of the ubiquitous Bagle worm is now making its way across the Internet, flooding inboxes with infected Zip files. The newest member of the Bagle family, named Bagle.AQ, arrives via an email message with a spoofed sending address and no subject line. The only text in the message body is typically one or two words, either "price" or "new price".

The name of the infected Zip file that accompanies the message is some variation on that theme as well. The files often are named Price.zip or New_price.zip, and may have a number appended to the end of the file name. Some users reported getting as many as 100 infected messages in an hour. Virus researchers said they first began seeing Bagle.AQ at about 8 am on the first day of the attack and have been seeing thousands of copies an hour.

If a user opens the Zip file with an application such as Windows Internet Explorer that is not a standalone Zip file handler, the user will see an HTML file that contains exploit code. The file will then execute an included .exe file, which is a Trojan, according to McAfee Inc.'s analysis. The Trojan then connects to a number of remote sites to download the actual viral code.

This new variant is one of the few worms or viruses known to download its viral payload remotely after it is already resident on a PC. It is not until the code is actually pulled down by the Trojan that Bagle.AQ begins trying to replicate itself by sending out e-mails.

Antivirus experts say the worm picked up a lot of momentum largely thanks to an aggressive spamming and seeding scheme employed by its author. They expect the worm to lose steam as time goes on and more and more of the remote servers hosting the viral code are shut down.

Vinny Gullotto, vice president of the AVERT team at McAfee in Santa Clara, Calif., said experts have closed down about half of the servers so far. Gullotto added that the worm uses a piece of JavaScript code that appears to be nearly three years old.

The worm is also capable of bypassing some file filters and outbound firewall protections, said Sam Curry, vice president of the eTrust security division at Computer Associates International Inc. in Islandia, N.Y. Because it can inject itself into the Explorer process space, the worm's outgoing traffic will appear legitimate to most firewalls.

One sign of infection is that both TCP and UDP ports 2480 will be open on compromised machines.

References

http://www.etrust.com http://www.mcafee.com