A series of new variants of the prolific Bagle worm has raised alarms in the security community through an innovative infection mechanism: The e-mail message in which the variants arrive may have no file attachment, and it's possible for a user to become infected without having to launch one.
The message includes a Windows ActiveX control and uses a vulnerability announced and patched by Microsoft Corp. in August and another problem from last October. The most recent Cumulative Security Update for Internet Explorer also includes a fix for the more recently discovered flaw.
The ActiveX control does not contain the actual worm, according to McAfee Security. Instead, it creates and runs a VBScript on the system, which downloads and executes the worm from one of a list of IP addresses. According to McAfee, as of 06:45 PST on March 18, "The majority of the 590 IP addresses seen have been closed down. At the time of writing, 39 were still responding."
News source: eWeek