New, more dangerous Net Viruses unleashed

Friday, March 19th, 2004

Latest variants no longer rely on telltale attachment to suspicious e-mail

Jeff Lee

Nasty new viruses that can make computer users’ financial and personal information available to hackers and are activated simply by looking at e-mail are working their way around the world, Internet security experts said Thursday.

The new and more dangerous variations of the Bagle virus — first discovered in January — have been unleashed with a new twist: users no longer have to open an accompanying attachment to get the virus.

Anti-virus experts say five new variants of the Bagle can defeat and disable security programs and anti-virus programs, rendering the machine vulnerable to cyberspace piracy.

“This is a pretty serious new twist, in that most people have learned not to open e-mails that have attachments they aren’t expecting,” said Chris Belthoff, a senior security analyst with Sophos, an anti-virus and anti-spam company with offices in Vancouver.

“That information is now useless in light of this new method being propagated by Bagle. Now, even looking at the message in a preview window is enough to kick it off.”

Belthoff said the virus makes the computer available to hackers who can turn it into a platform from which to launch other attacks. It also allows hackers to install programs, such as keystroke-monitoring software that can harvest sensitive information.

“It can put all that into a file that someone can come back and take at their leisure,” he said. “They can look and see a 16-digit number followed by what looks like an expiry date and conclude they have credit card information. It is pretty serious what this virus will allow people to do.”

The new variants of the Bagle virus, known as Bagle-P, Q, R,- and T, exploit known flaws in Microsoft’s Internet Explorer, Outlook and Media Player programs to run a small hypertext language message that downloads the virus directly into the target computer.

Although Microsoft issued a patch last October to fix the flaw, it may still not be enough to prevent new variants of the Bagle virus from infecting users’ computers, according to a Korean anti-virus company.

Eric Kwon, chief executive officer of Global Hauri, which identified three of the variants shortly after they were released, said his staff discovered the virus is still triggered if users try to save the message on computers that have already been patched with the Microsoft fix.

“We found that even a patched computer is still vulnerable if someone tries to save the message,” Kwon said. “This means people are going to have to change the way they send messages to one another.”

Anti-virus companies around the world began reporting the new variants overnight as users began to open messages that did not contain attachments. Computers in Korea and Australia were first hit early Thursday, with thousands of machines being infected as people went to work. Computer users in Britain later began to experience problems.

Kwon, whose company has an office in San Jose, California, said the e-mail containing the viruses uses authentic subject lines to fool people into opening the message.

“In today’s cyber post office, it is increasingly more difficult to tell friend from foe. One now must go the extra step of identifying and never opening e-mails with the titles of known Bagle virus subject lines (see sidebar) even though there is no attachment visible,” he said.

Global Hauri’s staff also found taunts written by the viruses’ author warning people to “not even try” to build a defence. Belthoff said Sophos identified Bagle-S and T as variants of Bagle-R.

Belthoff said he can’t verify Global Hauri’s claim that the virus is still activated in patched computers.

He said the solution is to make sure computers have the latest Microsoft patches and also use anti-virus programs with up-to-date virus definitions.

Microsoft’s patch can be found at

– – –


The new variants of the Bagle virus discovered Thursday are transmitted through an e-mail message without an attachment. The variants are known as Bagle-P, Bagle-Q,, Bagle-R, Bagle-S and Bagle-T.

One anti-virus company, Sophos Inc., has found that Bagle-R avoids sending itself to addresses that include the following words: @hotmail, @msn, @microsoft, [email protected], f-secur, [email protected], [email protected], [email protected], feste, gold-certs@, [email protected], [email protected], [email protected], noone@, kasp, admin, icrosoft, support, ntivi, unix, linux, listserv, certific, sopho, @foo, @iana, free-av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, @avp., noreply, local, [email protected], [email protected]

Here are some of the randomly-chosen subject lines the virus selects when mailing itself to other computers:

– E-mail account security warning.

– Notify about using the e-mail account.

– Warning about your e-mail account.

– Important notify about your e-mail account.

– Email account utilization warning.

– E-mail technical support warning.

– Email report. -Important notify.

– Account notify. -E-mail warning.

– Re: Msg reply. -Re: Hello.

– Re: Yahoo! -Re: Thank you!

– Re: Thanks :). -Re: Document.

– RE: Text message.

– Incoming message.

– Encrypted document.

The viruses exploit a known flaw in Microsoft’s Internet Explorer and Outlook programs.

Microsoft’s patch can be found at:

Source: Sophos Inc., Global Hauri Inc., Microsoft Inc.

© The Vancouver Sun 2004

Comments are closed.