Signature Detail

WORM: Bagle.Q HTTP Traffic

This signature detects the Q through T variants of the Bagle SMTP virus. Bagle sends e-mails that contain an attachment with a malicious payload. When the attachment is viewed, the payload uses HTTP to load an external link, which is actually an executable program that infects the target host. The virus then sends a copy of itself to e-mail addresses found on the target's hard drive, using the target's e-mail address as the return address.

Extended Description

Bagle.Q is a worm that affects Microsoft Windows operating systems. It propagates through e-mail using a built-in SMTP engine. The worm opens a backdoor to allow remote attackers to control an affected machine.

References

• URL: http://secunia.com/virus_information/8314/bagle.q/
• URL: http://www.auscert.org.au/render.html?it=3957&cid=1977
• URL: http://reviews.cnet.com/4520-6600_7-5127079.html