Will MailScanner pickup the W32/Bagle-Q virus?

Julian Field mailscanner at ecs.soton.ac.uk
Thu Mar 18 12:06:38 GMT 2004


It will now. See 4.29.2.

At 10:32 18/03/2004, you wrote:
>As this virus does not have an attachment can some one confirm if it will
>be stopped by MailScanner.
>
>Thanks
>
>Dean.
>
>W32/Bagle-Q is a mass-mailing virus. This virus spreads in an unusual
>manner, so please read the information below carefully.
>
>W32/Bagle-Q spreads via a "carrier" email which does not contain the worm
>as an attachment.
>
>When you open a "carrier" email, the email attempts to exploit a
>vulnerability in Outlook which automatically downloads W32/Bagle-Q from
>the PC which sent you the "carrier" email. The security vulnerability was
>reportedly patched by Microsoft in Microsoft Security Bulletin MS03-040.
>
>The "carrier" email downloads and launches a Visual Basic script. This
>script downloads W32/Bagle-Q via an HTTP (web) request to TCP port 81 on
>the sender's PC.
>
>The downloaded copy of W32/Bagle-Q is placed into your system folder with
>the name directs.exe
>
>W32/Bagle-Q loads on your PC and terminates a wide range of security
>applications
>
>A registry entry is added to the key:
>HKLM\Software\Microsoft\Windows\CurrentVersion\Run so that the program
>directs.exe loads every time you logon to your computer.
>
>W32/Bagle-Q makes multiple copies of itself into folders which are likely
>to be part of a file-sharing network.
>
>W32/Bagle-Q infects programs on your PC by appending itself to existing
>EXE files (this is called "parasitic virus infection").
>The danger of W32/Bagle-Q can be mitigated not only by updating Sophos
>Anti-Virus but by blocking connections to TCP port 81 through your network
>firewall. (This port is unlikely to be required for any real services.)
>
>Blocking outbound port 81 connections stops computers on your network from
>downloading the worm from outside. Blocking port 81 inbound means that
>even if you do get infected you will not pass the virus on to others.
>
>You should also apply the latest Internet Explorer/Outlook Express patches
>from Microsoft. The vulnerability used by W32/Bagle-Q is described in the
>Microsoft Security Bulletin MS03-040 and is referred to as the "Object Tag
>vulnerability in Popup Window".
>
>--
>
>Visit our website at www.roke.co.uk
>
>Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell,
>Berkshire. RG12 8FZ
>
>The information contained in this e-mail and any attachments is
>confidential to
>Roke Manor Research Ltd and must not be passed to any third party without
>permission. This communication is for information only and shall not create or
>change any contractual relationship.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list