Email Virii WITHOUT attachment spreads!

[Tigsman]

Description:


As of 1:08 AM of March 18, 2004 (Pacific Standard Time), TrendLabs HQ declared a Yellow alert to control the spread of this malware. Like recent BAGLE variants, this malware also infects files. Its distinct feature is the use of a known vulnerability to propagate.

Besides sending itself as email attachment to target addresses it gathers from the infected system, this virus also exploits a known vulnerability in order to increase its chances of spreading.

It sends an email that exploits the Object Tag vulnerability in Popup Window (MS03-040), which allows a malicious user to run arbitrary code on a user's system. The email message it sends for this particular email propagation routine does not have an attachment but a link to the virus copy. When viewed, this email attempts to download PE_BAGLE.Q from a certain location.

More information about the vulnerability is available from the following Microsoft page:

http://www.microsoft.com/technet/sec.../MS03-040.mspx

This virus also attempts to spread via peer-to-peer file-sharing networks by dropping copies of itself in folders that have the text string shar in their names (e.g., C:\Program Files\Kazaa\My Shared Folder).

This virus also has backdoor capabilities. It opens port 2556 and other randomly-generated ports, where it waits for commands from a malicious user.

It terminates certain processes, most of which are related to antivirus and firewall applications.

It runs on Windows 98, ME, NT, 2000 and XP.

For more information, consult the technical details section. Note that TrendLabs is currently working to provide more information on this malware.

http://www.trendmicro.com/vinfo/viru...ame=PE_BAGLE.Q


I suggest anyone not running a fully patched IE, to go to the link in the quote above and make sure you are patched.


T

[gibbonsl]

dos this effect people that use firefox

[Tigsman]

it appears to not matter, what browser you are using, if you have IE unpatched on your system, there is a chance of infection regardless of the browser you use browsing the web.

Remember, this comes in via email, and propogates because of vulnerability in IE cause it uses IE to reach the net and download some file. I know I wouldnt take the chance. Get yourself patched.

T

[TLMiller]

Easier just to remove IE now that there's 3rd party software that can.

[Camlann]

Originally posted by TLMiller on 03-19-2004 at 04:19 PM
Easier just to remove IE now that there's 3rd party software that can.

I am so happy that nowadays we can take the microsoft out of windows if we want to.

[evoryware]

To verify that the patch has been installed on the machine, open Internet Explorer, select Help, then select About Internet Explorer and confirm that Q828750 is listed in the Update Versions field.

Hmm... I haven't updated IE In a while but I already have the patch

[Nate-X]

Doh.. gotta update mine! Hmm I downloaded the one for ie 6 sp1 and it says I need that even though in my update version.. sp1 is listed =/

[timak]

"Doh.. gotta update mine! Hmm I downloaded the one for ie 6 sp1 and it says I need that even though in my update version.. sp1 is listed =/"


Nate, that just means it is an update for IE6 that already have SP1... So, everything would be correct if you install the update and already have SP1.


Tim

[stepberg]

Can't get mine to post. It keeps saying that I need to download IE6 first when I already have it. I have SP1 with 128 bit encyrption.

[jimzinsocal]

merge with Careful thread

[bbechtel16]

Originally posted by stepberg on 03-21-2004 at 11:43 AM
Can't get mine to post. It keeps saying that I need to download IE6 first when I already have it. I have SP1 with 128 bit encyrption.

HEY!!! That's Comic Sans MS! How did you do that?

[TLMiller]

You change the font by doing a ["font="enter font"]text["/font], without the "'s.

[bbechtel16]

Yay, thanks man!