Published: August 9, 2004, 1:47 PM PDT
By David Becker
Staff Writer, CNET News.com

A prolific new variant of the mass-mailing Bagle worm began flooding e-mail accounts Monday with bogus price quotes.

Like previous versions of Bagle, the new Bagle.AQ worm spreads by sending out messages with an infected attachment compressed under the common Zip format. Both the name of the attachment and the body of the message are a variant on "price" or "new price."

Unlike earlier Bagles, the new version also packs in a 3-year-old piece of JavaScript code that, once executed, attempts to send the infected PC to various Web sites to pick up more Bagle code, said Vincent Gullotto, vice president of the antivirus emergency response team for security specialist McAfee.

Bagle.AQ started spreading Monday morning and quickly began bombarding some corporate e-mail systems with thousands of infected messages, Gullotto said.

"It made its way into the public eye in a rather grandiose fashion," he said.

Read the Full Story here (http://news.com.com/2102-7349_3-5302722.html?tag=st.util.print).

HOW CAN PEOPLE BE SO STUIPID TO OPEN THESE!!!!!!!!!


Sorry. I do have something to note. I haven't looked into this strain but I'm assuming it's using the same method to get past other server side anti-virus softwares by using a password on the file and having the password listed in the message not as text but as an image so the servers can't read it.

With some of the older strains at work we decided just to block all password protected archived files.


Question: How many people put passwords on zip files? That should be a poll. An even better question. Does the average user even know how to create a password protected zip file.

That would be an interesting poll redcircle. Feel like starting it? ;)

Since my McAfee updates are always slow.... I'm going to add this just for information purposes.

--> What is it?

W32/Bagle.aq@MM is a Medium Risk mass-mailing worm that tries
to open a hacker backdoor on your PC. Launched by code hidden
inside a ZIP attachment, the virus spreads by emailing itself
to stolen contacts and via popular file-sharing programs such
as KaZaa, Bearshare and Limewire. It also tries to terminate
anti-virus and other security software operation.

Up-to-date McAfee VirusScan users with DAT 4384 are
protected from this threat. Note: To fortify anti-virus
defense against viruses that carry backdoor payloads, we
recommend installing McAfee Personal Firewall Plus:
http://us.mcafee.com/root/campaign.asp?cid=11276

--> What should I look for?

FROM: Varies (spoofed)
SUBJECT: Blank
BODY: Examples: new price, The password is, Password:
ATTACHMENT: Examples: price.zip, price2.zip, price_new.zip

--> How do I know if I've been infected?

Communication Port 80 (TCP) open. Outgoing messages with noted
body content and ZIP attachments.

I have received several instances of this virus today. I suspected something and sent it on to Symantec. My AV was not even picking it up even though it was updated only 30 minutes prior. They responded quickly with the info and a patch to update with the new virus signatures. I now fear many of my clients may have opened it...guess I'll be making the rounds tomorrow.