Virus warning: Bagle return exploits Outlook flaw

The return of the Bagle worm is exploiting an old Outlook flaw to spread even more quickly.

Users no longer have to click on an attachment to spread the Bagle virus because the latest variants are exploiting an old flaw in Microsoft Outlook that allows the worm to spread even more quickly.

Until the appearance of Bagle variants Q, R and S, users had to click on an emailed attachment to be infected by the worm. However, these attachments were easily spotted by antivirus programs and eliminated. To fool antivirus software, the next batch of Bagles was sent with the infected attachment hidden inside an encrypted Zip file, with the password to open the file contained in the email's text. Antivirus companies dealt with this change within a few days, so in the next variant the password appeared in a small graphic file, making it more difficult to scan.

The latest Bagle incarnation has done away with the attachment altogether and spreads when a vulnerable user opens the email using an unpatched version of Microsoft Outlook. If their Outlook preview pane is open, the victim's machine will be compromised automatically. Because of this change in tactics, experts fear the worm could spread very quickly.

Sophos's senior technology consultant, Graham Cluley, said: "This is a really sneaky, cunning trick. It's exploiting a five- or six-month-old Outlook security vulnerability so that just previewing an email - not the attachment - in an unpatched copy of Outlook will result in the virus being dragged from an infected machine to your machine. This has the potential to spread very quickly because so many people, particularly home users, have not applied the patches."

Mikko Hyppönen, director of antivirus research at F-Secure, said the latest variant uses a list of about 600 IP addresses, which all seem to be home computers connected to an ADSL service that have been infected by previous versions of Bagle. These "zombie" machines have been updated and are now used to send copies of the new worm to any computer on which the victim uses a vulnerable copy of Outlook to view an infected email message.

Outlook uses elements of Internet Explorer to render the HTML for its preview pane, so to avoid the new Bagle worms, users should apply a patch for Internet Explorer that Microsoft released in October 2003.

Munir Kotadia writes for ZDNet UK