As of 1:08 AM of March 18, 2004 (Pacific Standard Time), TrendLabs HQ declared a Yellow alert to control the spread of this malware. Like recent BAGLE variants, this malware also infects files. Its distinct feature is the use of a known vulnerability to propagate.
Besides sending itself as email attachment to target addresses it gathers from the infected system, this virus also exploits a known vulnerability in order to increase its chances of spreading.
It sends an email that exploits the Object Tag vulnerability in Popup Window (MS03-040), which allows a malicious user to run arbitrary code on a user's system. The email message it sends for this particular email propagation routine does not have an attachment but a link to the virus copy.
When viewed, this email attempts to download PE_BAGLE.Q from a certain location.
More information about the vulnerability is available from the following Microsoft page:
This virus also attempts to spread via peer-to-peer file-sharing networks by dropping copies of itself in folders that have the text string shar in their names (e.g., C:\Program Files\Kazaa\My Shared Folder).
This virus also has backdoor capabilities. It opens port 2556 and other randomly-generated ports, where it waits for commands from a malicious user.
It terminates certain processes, most of which are related to antivirus and firewall applications.
It runs on Windows 98, ME, NT, 2000 and XP.
For more information, consult the technical details section. Note that TrendLabs is currently working to provide more information on this malware.