BAGLE VIRUS HAS NEW VARIANTS
New variants of the Bagle virus are transmitted through an e-mail message without an attachment. The variants are known as Bagle-P, Bagle-Q,, Bagle-R, Bagle-S and Bagle-T.
Bagle-R avoids sending itself to addresses that include the following words: @hotmail, @msn, @microsoft, rating@, f-secur, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, linux, listserv, certific, sopho, @foo, @iana, free-av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, @avp., noreply, local, root@, postmaster@
Here are some of the randomly-chosen subject lines the virus selects when mailing itself to other computers:
- E-mail account security warning.
- Notify about using the e-mail account.
- Warning about your e-mail account.
- Important notify about your e-mail account.
- Email account utilization warning.
- E-mail technical support warning.
- Email report.
- Important notify.
- Account notify.
- E-mail warning.
- Re: Msg reply.
- Re: Hello.
- Re: Yahoo! -Re: Thank you!
- Re: Thanks :).
- Re: Document.
- RE: Text message.
- Incoming message.
- Encrypted document.
The patch against the Microsoft Outlook security vulnerability can be found at www.microsoft.com/technet/security/bulletin/MS03-040.mspx. Home users of Microsoft Windows can visit windowsupdate.microsoft.com to have their systems scanned for Microsoft security vulnerabilities.
Sophos recommends the following precautions against the W32/Bagle-Q and W32/Bagle-R worms:
- Get and apply the latest Internet Explorer/Outlook Express patches from Microsoft. This prevents the automatic download of the virus.
- Disallow connections to TCP port 81 through your network firewall. Blocking outbound port 81 connections stops computers on your network from downloading the worm from outside. Blocking inbound port 81 connections means that even if you do get infected you will not pass the virus on to others.