Bagle.Q - Doesn't Need Attachement!

18 March, 2004

About the Virus:

Anti-virus researchers discovered four new variants of Bagle today, continuing 2004's unprecedented avalanche of innovative worms. Bagle.Q is particularly aggressive and infects victims without relying on email attachments. Bagle.Q (and subsequent variants Bagle.R, .S, and .T) spreads via email, but when it arrives in a victim's Inbox, it attempts to launch itself by exploiting vulnerabilities Microsoft issued patches for in 2003. The good news is that if you've kept up with Microsoft patches, anti-virus signatures, and firewall egress filtering, you probably don't need to do anything new to defend your network.

Distinguishing Characteristics

Bagle.Q can't be recognized by its "From:" field, which it spoofs, but you can spot it by its Subject line, which it chooses randomly from a list of reasonable-sounding options such as "Re: Msg reply," "RE: Text message," and "Fax message received." (Sophos details the complete list of possibilities here.) The body of the email appears empty.

What It Does

If the intended victim opens this "carrier" e-mail, Bagle.Q attempts to exploit an old flaw in Internet Explorer (which Outlook uses to render HTML emails). Specifically, the worm exploits a flaw described in Microsoft Security Bulletin MS03-40 which offered a patch back in October 2003. Diligent administrators installed this patch long ago.

If Bagle.Q successfully executes, it begins a multi-pronged attack. This aggressive parasite:

• Writes itself to your computer's registry so that it starts up every time you reboot your computer.

• Attempts to shut off your security software, trying to silence alarms noting your infection. Bagle tries to find and terminate a staggering 500 different security processes, including personal firewalls from Norton, Black Ice, and ZoneAlarm (see the entire list in F-Secure's advisory).

• Searches files on local hard drives for email addresses it can mail itself to using its own SMTP engine. Bagle is impressively thorough, searching recursively (meaning, once it's done it starts over) and exhaustively -- it checks inside two dozen different file types, include Excel files, CGI forms, HTML documents, text files, and much more.

• Installs a Web Server, listening on TCP port 81, so that your machine can offer Bagle.Q's malicious HTML to other victims.

• Installs Trojan code, attempting to contact its author at a server chosen randomly from a list of 590 IP addresses. (This is the part of Bagle's payload that depends on exploiting an Outlook flaw. However, as we wrote this, authorities had found and closed down all but 39 of the IP addresses.) Some variants also get your computer to listen on port 2556.

• Installs itself as bait on shared directories. Bagle.Q makes multiple copies of itself into folders which it thinks are part of a file-sharing network. Under tempting filenames such as "porno picture archive xxx.exe," "Windown Longhorn Beta Leak.exe," and "Matrix 3 Revolution English Subtitles.exe," it hopes to spread when fooled users open it. (Sophos details the complete list of phony filenames.)

• Appends itself to existing EXE files. Thus when you run legitimate programs on your computer, you're also launching Bagle again.

If you get infected and have to clean up all that, you'll find that Bagle is one tough pastry. In the Thank God for Small Favors category, at least Bagle does not seek to destroy anything on victim machines.

What you can do

• Keep your anti-virus definitions up to date. (Pardon us if we now say, "Duh!")

• Verify that this Microsoft Internet Explorer Cumulative Patch is installed on your machines. This most recent patch should include MS03-40, the specific fix for the flaw Bagle exploits.

• Make users turn off Outlook's Preview Pane. The vulnerability that Bagle.Q exploits enables Bagle to execute without user intervention, as soon as Outlook renders the HTML email. (That's why this variant doesn't bother with an attachment.) However, if you turn off the Preview Pane in Outlook (View => Preview Pane or View => AutoPreview), the worm can't run until the user opens its carrier email. Note that this technique doesn't stop Bagle entirely; it simply provides a chance to delete it before it launches.

• Egress filter, using your firewall. We offer tips on how to do so below. Bagle tries to use TCP port 81 (both inbound and outbound) and TCP port 2556, but we recommend you block all unused ports, outbound. All WatchGuard firewalls block TCP port 2556 by default. Even if Bagle.Q manages to infect one or more of your computers, it will not be able to receive further instructions from its author (unless, for some reason, you have created a custom service specifically opening port 2556).