Like it or not, we're hot and heavy
into the first active virus season of 2004. If the past is any indication, it should last until May, then resume again in early August. Despite the sheer number of medium-threat viruses on the loose this year, however--we've seen about 36 low- to medium-level threats since January 18, 2004--virus writers seem to be burning through their bag of new tricks with only limited success. Indeed, none of the recent crop of Bagle, Netsky, and MyDoom variants has risen above a medium threat level. Still, the season isn't over yet; we may have seen only the beginnings of a bad year. Fortunately, there are ways you and I can defeat these buggers before they attack, but first, let me detail the history of one recent annoyance: Bagle.
New Bagle flavors cause minor indigestion
Since the first of the year, at least 20 variations of the Bagle virus, most created by the same author, have hit the Internet. Bagle versions b through g simply open a backdoor port, allowing the virus author access to infected computers, which could lead to big security problems. Versions h through o add greetz,
code written to other virus writers; these versions appear to be part of a gang war on the Internet
We've seen about 36 low- to medium-level threats since January 18, 2004.
Version n protects infected ZIP file attachments with a password that appears in plain text within the body of the infected e-mail message. After antivirus vendors caught on to this trick, variants n, o, and p placed the password within an image file--a trick first used by antispammers to keep spam robots from reading coded e-mail addresses on the Internet. Variant p compressed the virus with the much rarer RAR file format, and again, antivirus vendors responded quickly. Of these Bagle variants, only n was particularly successful.
On the other hand, Bagle.q, which appeared on March 18, 2004, opened a new can of worms. Bagle variations q through t are unique in that some of their e-mail targets don't have to open the attached file to become infected. Vulnerable systems include those Windows systems not yet updated with the cumulative patch for Internet Explorer (MS03-040)
released last October.
On these vulnerable systems, simply previewing e-mail infected with Bagle.q, r, s, or t will launch the script necessary for infection--no user action required. The flaw that allows this shenanigan lies within Internet Explorer, which handles all HTML operations for Outlook, and the flaw will automatically activate the script that downloads the virus from one of 600 hard-coded Internet Protocols (IPs).
What's interesting is that all 600 of these particular IPs
appear to be home computers using ADSL connections, according to the antivirus vendor F-Secure. In fact, these zombie machines have all been infected with Trojan horses delivered by earlier versions of Bagle.
Two new Trojan horses ride in
In January 2004, the viruses Bagle and MyDoom both began using a new Trojan horse called Mitglieder
. This Trojan horse creates a network of peer-to-peer-connected machines that can forward e-mail to even more computers and create open proxies,
which can then relay spam anonymously. Mitglieder also allows the virus writer to instigate a distributed denial-of-service attack on a chosen target. MyDoom, for example attacked SCO Linux, Microsoft, and RIAA sites
I know it's a hassle, but you really must update and patch your Windows system whenever Microsoft says that you should.
Now virus writers have another choice: Agobot/Phatbot
(free registration required for this site). This Trojan horse is more compact but includes more capabilities, which prompted a warning on March 17, 2004, from US-CERT
. Among other malicious tasks, Agobot/Phatbot builds networks of infected PCs very quickly, steals passwords from AOL accounts, sniffs for PayPal cookies, and harvests e-mail addresses from HTML files for the purposes of spamming those addresses. A detailed analysis can be found on the Lurhq
Agobot/Phatbot takes advantage of several recent Microsoft vulnerabilities, including RPC/DCOM (MS03-026)
(a vulnerability made famous last August by MSBlast), a buffer overrun in RPSS (MS03-039)
, a buffer overrun in Workstation Service (MS03-049)
, and WebDAV (MS03-007)
. However, by installing the above patches from Microsoft, you can mitigate the effects of Agobot/Phatbot.
It's patch now or pay later
I know it's a hassle, but you really must update and patch your Windows system whenever Microsoft says that you should. I also know that some Microsoft patches have been known to break functionality in third-party apps or remove your Favorites from Internet Explorer, but these are trivial problems compared to the hours of frustration you'd spend cleaning up after some new virus. You may want to wait a few days after Microsoft makes a new patch available just to see if it causes any installation grief; Microsoft has been known to patch its patches. But don't wait too long. With virus writers playing around with new tricks every day, it's better to spend a few minutes on prevention now.