WAVCi: October 2004

W32/Bagle.bd Medium alert ...

Indeed we've seen enough samples now to give it that ranking. Also other AV vendors are going to medium for this one!

Two new variants of W32/Bagle released within hours...

We just got the third new Bagle for today. This one is functionally similar to Bagle.bb. It is also repacked and has a different CPL stub and different application icon.
This time the icon of the file it drops to the Windows' system directory, looks like three hard drives.
Good news until now, those two new variants are not In-The-Wild like the the first one today.

New Bagle variant is going to a medium alert!

It was a long time ago, before we did go on medium alert .. But it seems time now because this new Bagle variant has been spotted in several locations. It sends emails with a smiley ":)" as the message body. Attachment filename starts with "Price" or "Joke" and extension is COM, EXE, SCR or CPL. Analysis is being done by most AV vendors at this monent and some has already released new signatures. Some call it W32/Bagle.bb(McAfee), some W32/Bagle.at(F-Secure) and I-Worm.Bagle.at (Kasperksy) ,W32/Bagle-AU (Sophos) ,W32/Bagle.BC.worm (Panda) and WORM_BAGLE.AT (Trend)...

Again loads of Critical MS Security Patches !

Microsoft has released several critical updates for both Windows, Exchange and Office. Some of these vulnerabilities allow priviledge elevation (MS04-032). Some allow arbitary code execution via Windows Metafile (MS04-032), some of them via Excel (MS04-033) or even zip files (MS-034).
Further information and complete list of the updates is available at Microsoft's TechNet Security site: I recommend you to use Windows Update ASAP.
There is also an update available for the patch of the JPG vulnerability (MS04-028).

JPeG Virus or Worm still expected, please patch ASAP!

We are still waiting for the release of a new worm or virus which will be using the JPG vulnerability. I personally thaught that it would be released during latest week anti-virus conference but this was not the case ... but the countdown goes further.
I want to get people to patch before it's too late.
Couple of notices on this vulnerability:
- Filtering files with .JPG extension won't protect you much. Bad JPGs can be renamed to .BMP and they still work fine.
- Definitely try to update Word, Excel and other Office tools .. therefore you need to visit officeupdate.microsoft.com , these are the most important programs to update.
- A lot of anti-virus scanners has released generic updates already, however I don't have any idea what the real impact will be if a real attack will be launched.
- However, exploiting Internet Explorer with this vulnerability seems to be particularily hard. Exploiting Windows XP's EXPLORER.EXE while viewing local JPG files is much easier and several toolkits to create JPGs like this exist. This reduces the likelyhood of appereance of a massmailer worm using this vulnerability.
- At least try to update your anti-virus scanner ASAP as this will be the first protection for most of the home users and corporates.