Bagle (aka Beagle) Email Virus
This virus has taken a new turn and is masquerading as email
from your
ISP. You will see email from administrator@svpal.org or
management@svpal.org, etc. The message tells you to open
the enclosed attachment to fix some problem. Don't open
the attachment. SVPAL is now filtering ZIP attachments
which effectively disables these attachments. If you have already
opened one of these attachments,
you may have already been infected. You should update
your virus software and scan your system for a possible infection.
US Cert Advisory
W32/Beagle.J-K
Variants
added
March
4
US-CERT has
received reports of
new variants of the W32/Beagle mass-mailing virus, known as
W32/Beagle.J
and W32/Beagle.K. These variants will arrive with a password protected
.ZIP
archive as an attachment to an e-mail message. The email contains a From:
address that is spoofed to appear as though it comes from an
administrative
address (such as management, administration, staff, noreply, or
support)
at the user's domain. The Subject
and Body
of the e-mail message are randomly generated and claim to be an
administrative
warning about the recipient's email account. The attachment is a
password
protected .ZIP
archive containing an executable file (.EXE)
with file names that are random. The password for the .ZIP
archive is included in the body of the message. These variants contain
their own built-in SMTP engine to send copies of the virus to any
e-mail
address it finds while scanning certain files on the infected system.
To be infected by
these variants,
a user must open the .ZIP
archive, enter the password from the body of the email, extract the
.EXE
file and then open it.
US-CERT strongly
encourages users
to install and maintain anti-virus software and exercise caution when
handling
attachments. Anti-virus software on a mail server cannot scan password
protected .ZIP
archives so users must exercise discretion when opening email
attachments.
Mail server administrators may elected to block .ZIP
attachments if permitted by policy.
You may also wish
to visit the
US-CERT's
computer virus resources page.
|
Vulnerable Systems
This worm only affects users running Windows 95, 98, NT, Me,
2000 or XP.
Impact
This virus mass mails itself to users listed in your address
book, thereby
spreading itself to other computers. It also scans files on the
infected
computer for email addresses. The virus also attempts to disable
virus protection by terminating virus programs running on the infected
computer.
What to Look For
The virus arrives in an email from purportedly from your mail
account's
ISP. An example of one seen on SVPAL:
Dear user of Svpal.org,
Our antivirus software has detected a large ammount of viruses outgoing
from your email account, you may use our free anti-virus tool to clean up
your computer software.
Please, read the attach for further details.
Sincerely,
The Svpal.org team http://www.svpal.org
|
Note that the exact message varies but follows this form.
The following shows some of the variations that you might see.
Example 'From' addresses include:
management@<domain>
administration@<domain>
staff@<domain>
noreply@<domain>
support@<domain> |
where <domain> is your email domain (eg
svpal.org). The list
of possible Subjects include:
E-mail account security warning.
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
Notify about your e-mail account utilization.
E-mail account disabling warning. |
The body of the email will contain one of the following
messages:
Your e-mail account has been temporary
disabled because of unauthorized
access.
Our main mailing server will be temporary unavailable for
next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service.
Your e-mail account will be disabled because of improper
using in next
three days, if you are still wishing to use it, please, resign your
account
information.
We warn you about some attacks on your e-mail account.
Your computer
may contain viruses, in order to keep your computer and e-mail account
safe, please, follow the instructions.
Our antivirus software has detected a large ammount of
viruses outgoing
from your email account, you may use our free anti-virus tool to clean
up your computer software.
Some of our clients complained about the spam (negative
e-mail content)
outgoing from your e-mail account. Probably, you have been infected by
a proxy-relay trojan server. In order to keep your computer safe,
follow
the instructions.
|
Solutions
See Microsoft's Windows
Update
web site for easy updating of your Microsoft software. Install a virus
scanner to provide additional protection. You may need to start your
computer in safe mode to successfully run your virus scanner. Check
your virus software documentation for details on how to scan and remove
virus infections.
For more information
Check the CERT Coordination
Center
for more information on this worm. Or check
SVPAL's virus page for me general
virus protection information.
|
