W32/Bagle-Q is a mass-mailing virus. This virus spreads in an unusual manner, so please read the information below carefully.
W32/Bagle-Q spreads via a "carrier" email which does not contain the worm as an attachment.
When you open a "carrier" email, the email attempts to exploit a vulnerability in Outlook which automatically downloads W32/Bagle-Q from the PC which sent you the "carrier" email. The security vulnerability was reportedly patched by Microsoft in Microsoft Security Bulletin MS03-040.
The "carrier" email downloads and launches a Visual Basic script. This script downloads W32/Bagle-Q via an HTTP (web) request to TCP port 81 on the sender's PC.
The downloaded copy of W32/Bagle-Q is placed into your system folder with the name directs.exe
W32/Bagle-Q loads on your PC and terminates a wide range of security applications
Discovery Date: 03/18/2004
Length: 25,600 Bytes
SubType: E-mail worm
AVERT has received a sample of this threat and is currently in the process of analyzing it. Further details will be posted when they are available.
This Bagle variant is bears the following characteristics:
contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
encrypted polymorphic parasitic file infector