These same variants may also send themselves with an attachment. In those instances, the attachment will be either an EXE, PIF, ZIP or RAR file. The ZIP or RAR may be password-protected, in which case the password is an image file that will be displayed in the body of the email.
When sent without an attachment, the email body displays only a URL. Behind the scenes, a specially crafted script automatically downloads an HTML file which then automatically downloads and runs the infected executable. This is made possible by a vulnerability involving Microsoft's ActiveX controls and plugins. Note that this behavior will not occur on systems that have been patched for the MS03-032 vulnerability. Microsoft first provided MS03-032 in August 2003. That patch was later discovered to be insufficient and a subsequent patch, MS03-040, was released in October 2003. The IT security firm Secunia provides a means to test whether a system is vulnerable to exploit by the MS03-032 vulnerability.
Visit Windows Update to scan for necessary patches. Install any patches marked as critical.
Thus far, all Bagle variants use their own SMTP engine to send and may also spread via filesharing networks such as KaZaA, Morpheus, BearShare, etc. The Bagle variants routinely spoof the From sender. Bagle variants N, P, Q, S, and T also include an encrypted polymorphic file infector that infects PE_EXE files. PE_EXE files are self-contained 32-bit Windows programs such as Notepad, Calculator, etc.
Many variants of the Bagle worm masquerade as warnings from the recipient's ISP. For example, Bagle.Q may use one of the following messages:
- mailing system wants to let you know that, Your e-mail account has been temporary disabled because of unauthorized access. Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.
- Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
- We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
- Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
- Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.
Please see the article Bagle bombings for information on specific Bagle variants.
