WORM: Bagle.Q HTTP Traffic
This signature detects the Q through T variants of the Bagle SMTP virus. Bagle sends e-mails that contain an attachment with a malicious payload. When the attachment is viewed, the payload uses HTTP to load an external link, which is actually an executable program that infects the target host. The virus then sends a copy of itself to e-mail addresses found on the target's hard drive, using the target's e-mail address as the return address.
Extended Description
Bagle.Q is a worm that affects Microsoft Windows operating systems. It propagates through e-mail using a built-in SMTP engine. The worm opens a backdoor to allow remote attackers to control an affected machine.
Short Name
WORM:BAGLE:Q-HTTP
Severity
Major
Recommended
False
Recommended Action
None
Category
WORM
Keywords
Bagle.Q HTTP Traffic
Release Date
04/21/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3324
Port
TCP/81
False Positive
Occasionally