[clug] [AUSCERT ALERT - Email worm W32.Beagle.A/Win32.Bagle.A]

Darren Freeman daz111 at rsphysse.anu.edu.au
Mon Jan 19 04:37:07 GMT 2004 

Hi all,

there is a new email worm going around, many of you will have already
seen this.

Full details are forwarded below. Basically this worm infects Windows
machines only, by the user executing an attachment they receive in their
inbox. Emails have the subject "Hi" and the body "Test =)" plus other junk.

Have fun and enjoy the chaos! And get your surfing done before the
Internet chokes up and dies for a few days.

-----Forwarded Message-----
Subject: (AUSCERT AL-2004.01) AUSCERT ALERT - Email worm  W32.Beagle.A/Win32.Bagle.A
Date: Mon, 19 Jan 2004 15:23:40 +1100

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                         AL-2004.01 -- AUSCERT ALERT
                    Email worm W32.Beagle.A/Win32.Bagle.A
                               19 January 2004

===========================================================================


AusCERT has become aware of a new mass-mailer worm that is causing disruption
to regular traffic on Australian email servers. The worm arrives in messages
with this format:

	Subject: Hi

	 Test =)
	tgfihkokyojtrnjjr
	--
	Test, yep.

The second line of the body (eg. tgfihkokyojtrnjjr, above) may contain any
random text string. The attachment has a MIME type of application/x-msdownload
and has a random filename with a .exe extension - example MIME header:

	Content-Type: application/x-msdownload; name="juvgvku.exe"
	Content-Transfer-Encoding: base64
	Content-Disposition: attachment; filename="ytdckhseku.exe"

Upon execution, the executable scans for email addresses in all files with
the extensions .wab, .txt, .htm and .html. Additionally, TCP port 6777 is
opened on the infected computer and it attempts to contact remote websites
to report infection by calling a PHP script. Due to inbuilt routines, this
worm will not execute after 28 January 2004.

When possible, upgrade all anti-virus software to use the latest definition
files as soon as they become available.

Users should remain aware of the danger of opening unsolicited email 
attachments.


REFERENCES:

[1] Protecting your computer from malicious code
     http://www.auscert.org.au/render.html?it=3352

[2] F-Secure Virus Descriptions
     http://www.f-secure.com/v-descs/bagle.shtml

[3] Symantec Security Response
 
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html

[4] Computer Associates Virus
     http://www3.ca.com/virusinfo/virus.aspx?ID=38019

[5] McAfee Security
     http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100965

[6] Trend Micro
 
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.A

[7] Sophos virus analysis
     http://www.sophos.com/virusinfo/analyses/w32baglea.html


- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this security bulletin is accurate at the time of publication.
However, the decision to follow or act on information or advice contained in
this security bulletin is the responsibility of each user or organisation, and
should be considered in accordance with your organisation\'s site policies and
procedures. AusCERT takes no responsibility for consequences which may arise
from following or acting on information or advice contained in this security
bulletin.

If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:

         http://www.auscert.org.au/render.html?it=3192

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.

Internet Email: auscert at auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                 AusCERT personnel answer during Queensland business
                 hours which are GMT+10:00 (AEST).  On call after hours
                 for member emergencies only.

Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQAtRwSh9+71yA2DNAQFfbwP9EyB/0X9s6pdakU4Dff9wbMvQliOySYHt
Pb45lxBZuj+z0YzBWZi4J9chJhHjGlB4O7e1uG8m18MdiCLZs5IlgqIHssULDABz
MwspV/qxtRescZ46PidAWGjg7wR6ciM7qU9zZ/IoFOxhIwRBTI8XCXWdYbECTeTy
y49dZRZw8hs=
=YPyR
-----END PGP SIGNATURE-----
_______________________________________________
Auscert-subscriber mailing list
Auscert-subscriber at anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/auscert-subscriber

More information about the linux mailing list