Will MailScanner pickup the W32/Bagle-Q virus?

Martin Hepworth martinh at SOLID-STATE-LOGIC.COM
Thu Mar 18 10:52:52 GMT 2004


Dean

your AV solution should pick this up ;-)

Sophos put an update out a couple of hours ago..

You do have an AV tool installed on the MS machine don't you..


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


Plant, Dean wrote:
> As this virus does not have an attachment can some one confirm if it will be stopped by MailScanner.
>
> Thanks
>
> Dean.
>
> W32/Bagle-Q is a mass-mailing virus. This virus spreads in an unusual manner, so please read the information below carefully.
>
> W32/Bagle-Q spreads via a "carrier" email which does not contain the worm as an attachment.
>
> When you open a "carrier" email, the email attempts to exploit a vulnerability in Outlook which automatically downloads W32/Bagle-Q from the PC which sent you the "carrier" email. The security vulnerability was reportedly patched by Microsoft in Microsoft Security Bulletin MS03-040.
>
> The "carrier" email downloads and launches a Visual Basic script. This script downloads W32/Bagle-Q via an HTTP (web) request to TCP port 81 on the sender's PC.
>
> The downloaded copy of W32/Bagle-Q is placed into your system folder with the name directs.exe
>
> W32/Bagle-Q loads on your PC and terminates a wide range of security applications
>
> A registry entry is added to the key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run so that the program directs.exe loads every time you logon to your computer.
>
> W32/Bagle-Q makes multiple copies of itself into folders which are likely to be part of a file-sharing network.
>
> W32/Bagle-Q infects programs on your PC by appending itself to existing EXE files (this is called "parasitic virus infection").
> The danger of W32/Bagle-Q can be mitigated not only by updating Sophos Anti-Virus but by blocking connections to TCP port 81 through your network firewall. (This port is unlikely to be required for any real services.)
>
> Blocking outbound port 81 connections stops computers on your network from downloading the worm from outside. Blocking port 81 inbound means that even if you do get infected you will not pass the virus on to others.
>
> You should also apply the latest Internet Explorer/Outlook Express patches from Microsoft. The vulnerability used by W32/Bagle-Q is described in the Microsoft Security Bulletin MS03-040 and is referred to as the "Object Tag vulnerability in Popup Window".
>
> --
>
> Visit our website at www.roke.co.uk
>
> Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell,
> Berkshire. RG12 8FZ
>
> The information contained in this e-mail and any attachments is confidential to
> Roke Manor Research Ltd and must not be passed to any third party without
> permission. This communication is for information only and shall not create or
> change any contractual relationship.

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************



More information about the MailScanner mailing list