New Bagle worms crawl through old MS hole
Four new versions of the Bagle e-mail worm appeared on Thursday, and anti-virus experts warn that new techniques by the worm's creator could make it harder to stop the new variants.
Software updates and alerts about Bagle.Q, R, S and T have been released. The new versions of the worm, which first appeared in January, do not carry file attachments containing the virus. Instead, they use a months-old Windows security hole to break into vulnerable machines, experts said.
"It's really nasty. Just previewing a message in an e-mail client could download the virus to your computer," said Graham Cluley, senior technology consultant at Sophos.
The security hole used by the worm is known as the Internet Explorer Object Data Remote Execution vulnerability and concerns a problem with the way the Internet Explorer Web browser interprets HTTP data. The vulnerability, MS03-032, was patched in August 2003.
Previous versions of Bagle have shipped off copies of the virus as e-mail file attachments with zip, exe and scr attachments, among others.
Anti-virus and anti-spam products can block the spread of such viruses by scanning incoming e-mail attachments, identifying the virus file by the name, size and other telltale characteristics. By foregoing file attachments, the Bagle author has made it easier to slip by security products, Cluley said.
