Virus name:   Beagle.Q (aka Bagle.Q)

Status:   Real.

Origins:   Beagle.Q is a variant of the Beagle mass-mailing worm that affects only Microsoft NT or Windows-based systems. It does not replicate through the usual method of sending itself out as an e-mail attachment — it replicates by sending out "carrier" messages with spoofed return addresses, then exploiting a vulnerability in the Microsoft Outlook mail client to download itself from remote servers when recipients open those messages.

The subject line of a Beagle.Q carrier message could be any one of the following:
  • Re: Document
  • Encrypted document
  • Fax Message Received
  • Forum notify
  • Re: Hello
  • Re: Hi
  • Hidden message
  • Re: Incoming Fax
  • Incoming message
  • Re: Incoming Message
  • Re: Msg reply
  • Protected message
  • RE: Protected message
  • Request response
  • Site changes
  • RE: Text message
  • Re: Thank you!
  • Re: Thanks :)
  • Re: Yahoo!
The bodies of Beagle.Q carrier messages contain no text.

The vulnerability exploited by Beagle.Q was (supposedly) fixed by a Microsoft security patch released in October 2003.

A disinfection tool for the Bagle/Beagle worm is available on the Sophos anti-virus site.

Additional Information:
  W32/Bagle-Q W32/Bagle-Q
Last updated:   25 January 2008