Bagle uses Outlook flaw to speed replication

The Bagle worm is exploiting an old Outlook flaw to spread even more quickly, while an ancient Trojan has gained a new name and a new lease of life

Users no longer have to click on an attachment to spread the Bagle virus because the latest variants are exploiting an old flaw in Microsoft Outlook that allows the worm to spread even more quickly.

Until the appearance of Bagle variants Q, R and S, users had to click on an emailed attachment to be infected by the worm. However, these attachments were easily spotted by antivirus programs and eliminated. To fool antivirus software, the next batch of Bagles was sent with the infected attachment hidden inside an encrypted Zip file, with the password to open the file contained in the email's text. Antivirus companies dealt with this change within a few days, so in the next variant the password appeared in a small graphic file, making it more difficult to scan.

The latest Bagle incarnation has done away with the attachment altogether and spreads when a vulnerable user opens the email using an unpatched version of Microsoft Outlook. If their Outlook preview pane is open, the victim's machine will be compromised automatically. Because of this change in tactics, experts fear the worm could spread very quickly.

Sophos's senior technology consultant, Graham Cluley, said: "This is a really sneaky, cunning trick. It's exploiting a five- or six-month-old Outlook security vulnerability so that just previewing an email -- not the attachment -- in an unpatched copy of Outlook will result in the virus being dragged from an infected machine to your machine. This has the potential to spread very quickly because so many people, particularly home users, have not applied the patches."

Mikko Hyppönen, director of antivirus research at F-Secure, told ZDNet UK that the latest variant uses a list of about 600 IP addresses, which all seem to be home computers connected to an ADSL service that have been infected by previous versions of Bagle. These "zombie" machines have been updated and are now used to send copies of the new worm to any computer on which the victim uses a vulnerable copy of Outlook to view an infected email message.

Outlook uses elements of Internet Explorer to render the HTML for its preview pane, so to avoid the new Bagle worms, users should apply a patch for Internet Explorer that Microsoft released in October 2003.

New Bagle viruses are not the only problem brewing for Windows users. A new iteration of a Trojan horse with an unusually comprehensive set of features has also appeared. Phatbot, also known as Agobot, is a powerful piece of malware that opens a back door on a computer and connects to its own peer-to-peer network of infected machines. Once a computer is infected and connected to this P2P network, the author of Phatbot has complete control over the computer and can use it for any number of malicious tasks.

"Phatbot is dangerous because it is so feature-rich that you can do anything -- it's probably the largest back-door we have ever seen in terms of features. It has multitude of different methods of gaining access to a machine, including the back doors left by Bagle, MyDoom and Blaster. Phatbot is the Swiss army knife of Trojan horses," said Hyppönen. "When it gains control of a machine, it connects to this P2P network that allows the virus writer to control and send commands to the infected hosts. As a backup, it also uses an IRC channel. There are hundreds of different commands ranging from various types of DDoS attacks to stealing everything from the address book to deleting files and finding new hosts to infect."

However, Sophos's Cluley said Phatbot can be dealt with by regular antivirus software and may be garnering attention partly because of its new moniker. "We have seen lots of different versions of this Agobot, but someone started referring to it with the trendier name of Phatbot and now people have started getting excited about it," he said.