Alerts - The No Virus Inside virus - Bagle.AQ

Date Entered: 08/11/2004

There is a new variant of the Bagle worm - Bagle.AQ

It is packed inside a small - 6k zip file. the zip, while small, contains an HTML file and an Executable. the HTML component is infected with the "JS/I11Will" javascript exploit.

If your computer is up to date on the Critical updates and antivirus DATs, you should be ok, BUT if your computer anti-virus program was disabled by a previous infection, it may not be detected.

Unfortunately, most anti-virus programs will not detect the infected zip file until it is opened, AND the real payload is not in the zip file anyway, it is on a website.

The following text is from the digest.


For Immediate Release

August 9, 2004 (Miami, Florida)

0Spam.Net (Zero Spam Dot Net) detected a series of new Bagle virus strains Monday morning. While the spread of the virus and the intensity of the attacks has rivalled any of this year, 0Spam.Net was able to instantaneously protect it's entire user base from infection - not a single penetration past the service occurred.

This version of the virus is unique in several respects:

First, it is packed inside a very small zip file, about 6K. Previous versions had averaged 4-5 times this size. The size of the zip file in this attack would mislead most trained eyes as being too small to be a virus. The zip file contains a short html file and a small executable file.

Second, the zip file contains an HTML component which is infected with "JS/IllWill," a javascript exploit discovered in November of 1991. While this should trigger most anti-virus software, an unprotected system or one which has had anti-virus disabled by a prior infection will not detect it.

Third, and more importantly, many commercial anti-virus products did not detect the known infected components of the zip file until the zip files was actually opened - the virus payload got past most server and PC defenses and sat waiting in end users email inboxes.

Fourth, AND MOST IMPORTANTLY, the ultimate payload containing the virus is not in the zip file itself. Either loading the html component or running the executable starts a downloader trojan in the executable file, which initiate the process of loading and running the virus which immediately starts trying to replicate itself on the infected machine, any vulnerable adjacent machines and other machines via a mass-mailing SMTP engine.