nlinecomputers Posted February 17, 2004 Author Share Posted February 17, 2004 Dear Trend Micro customer:A new variant of the BAGLE worm has been found in the wild. TrendLabs HQ received numerous infection reports of this new malware spreading in France. As of February 17, 2004 6:44 AM (US Pacific Time), TrendLabs has declared a YELLOW ALERT to control the spread of WORM_BAGLE.B. This memory-resident worm propagates by mass-mailing copies of itself using SMTP (Simple Mail Transfer Protocol). The email message it sends out contains the following details: Subject: ID %random% ... thanksFrom: <random letters>@<spoofed domain>Message body: Yours ID <random> -- ThankAttachment: <random>.exeUpon execution, it drops a copy of itself as AU.EXE in the Windows system folder. This malware runs on Windows 95, 98, ME, NT, 2000 and XP. TrendLabs will be releasing the following EPS deliverables: TMCM Outbreak Prevention Policy 78Control Pattern Release 767Damage Cleanup Template 260For more information on WORM_BAGLE.B, you can visit our Web site at:http://www.trendmicro.com/vinfo/virusencyc...me=WORM_BAGLE.BPlease inform us if there are any infection reports in your region.****************************************************************************************** You are receiving this email from Trend Micro, because you have either downloaded a Trend Micro product or have signed up to receive "Virus Alerts." ******************************************************************************************______________________________________________________________________This message was sent by Trend Micro's Newsletters Editor using Responsys Interact .If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor: http://trendnewsletter.rsc03.net/servlet/w...tEhEzNIlJkpILklTo view our permission marketing policy: http://www.rsvp0.net Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 18, 2004 Share Posted February 18, 2004 One of my clients said their network at work got hit by this today.Oh, joy ... another beagle bagle! Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted February 18, 2004 Author Share Posted February 18, 2004 Another new one spreading fast. Trend Micro gets all the nasty ones... Dear Trend Micro customer:As of February 18, 2004 5:06 AM PST, TrendLabs has declared a YELLOW ALERT to control the spread of WORM_NETSKY.B spreading in Japan and Germany. Initial analysis indicates that this memory-resident worm propagates vial email.It drops copies of itself as an executable having two extension names and using the icon of Word. The said copies are dropped in shared folders.This malware runs on Windows 95, 98, ME, NT, 2000 and XP. TrendLabs will be releasing the following EPS deliverables: TMCM Outbreak Prevention Policy 80Control Pattern Release 769Damage Cleanup Template 262For more information on WORM_NETSKY.B, you can visit our Web site at:http://www.trendmicro.com/vinfo/virusencyc...e=WORM_NETSKY.BPlease inform us if there are any infection reports in your region.*******************************************************************************************You are receiving this email from Trend Micro because you have signed up to receive virus alert notifications. Help us improve this service by giving us feedback at:http://www.trendmicro.com/survey/SurveyFor...v=WORM_NETSKY.B*******************************************************************************************______________________________________________________________________This message was sent by Trend Micro's Newsletters Editor using Responsys Interact .If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor: http://trendnewsletter.rsc03.net/servlet/w...3vyf_u.260zd5_8To view our permission marketing policy: http://www.rsvp0.net Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted February 25, 2004 Author Share Posted February 25, 2004 (edited) New version of Netsky is on the loose. Netsky.CDetails here.Symantec NetSky.C at Level 3McAfee Medium RiskTrend Micro - RED alertUpdate your virus scanners. This is spreading FAST in the USAEdit: Trend Micro now lists this as a RED ALERT due to very high spread rate in Australia. Expect major outbreak to continue in the USA as e-mail is opened at work. Edited February 26, 2004 by nlinecomputers Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted March 1, 2004 Share Posted March 1, 2004 Thanks Nathan!Here we go again .... Netsky.DSophos: Netsky-DSymantec: Netsky.DTrendMicro: Netsky-DAnd ... two more new Beagle/Bagle's too! And this on the tail of Symantec moving Beagle.E to Category 3 today (yesterday it was Category 2).Bagle-FSophos: Bagle-FSymantec: Beagle.FTrendMicro: Bagle-FBagle-GSophos: Bagle-GSymantec: Beagle.GTrendMicro: Bagle-G Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted March 2, 2004 Share Posted March 2, 2004 As of March 2, 2004 - Netsky-D is now a Category 4 risk according to Symantec ... in just two days!! Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted March 2, 2004 Author Share Posted March 2, 2004 Yep and I may have my first victims of it. 3 calls for today that all sound like this virus. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted March 2, 2004 Share Posted March 2, 2004 (edited) Gawd! Have you noticed that every single one of the top 5 Category 3 and the 2 Top Category 4 threats have only been unleashed since January 26, 2004!!And here we are with the Beagle/Bagle thing too .. Fistful of Bagles shoot up the Net Five new versions of the Bagle worm escaped on to the Web at the weekend. Just one, the medium-risk Bagle-C, has spread widely. The new bagles - C through to G - have minor differences only. It seems that unknown virus writers are trying different tactics to fool users into spreading their malicious code. All seven Bagle variants affect Windows PCs only. Bagle-C commonly arrives by email as a zipped EXE file with the icon of an Excel spreadsheet file and various different subject lines and attachment names. The body of the messages is empty, and the sender address in the email is spoofed. If you open this executable attachment you may infect your PC. The worm includes a back door component which disables some security software packages. It may also be used to collect the addresses of infected computers, according to F-Secure, an anti-virus software vendor. Bagle-C scours the hard drives of infected computers for email addresses. It then sends copies of itself to these addresses using its own SMTP engine. The worm is programmed to stop spreading after March 14.And this doesn't even account for the newest ones H and I listed as Category 2 already today! Edited March 2, 2004 by LilBambi Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted March 2, 2004 Author Share Posted March 2, 2004 Yep,I'm trying to download the new f-prot files for this morning. The servers are overloaded. A 10 sec download is taking 10 minutes. May not get this before I have to leave for my client. Know any good mirrors for f-prot? Even my linux server's cron job failed to grab it. Timed out. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted March 2, 2004 Share Posted March 2, 2004 Hmmm, no, I don't ... I always get them from the F-Prot site itself. Quote Link to comment Share on other sites More sharing options...
ibe98765 Posted March 2, 2004 Share Posted March 2, 2004 The Wall Street Journal is running an article that says the new wave of net virues signals a hacker rivalry or competition for bragging rights between hackers is underway. Quote Link to comment Share on other sites More sharing options...
Peachy Posted March 4, 2004 Share Posted March 4, 2004 Most of the anti-virus vendor web sites are clogged as everyone updates their definitions. I can't update my AVG and I know there have been 3 definition updates today. PCWorld has a story on the virus writer war! Quote Link to comment Share on other sites More sharing options...
Peachy Posted March 4, 2004 Share Posted March 4, 2004 Just downloaded the new definition manually. This is the fourth one today! Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted March 4, 2004 Share Posted March 4, 2004 Got all four of mine manually at the Grisoft.com website. :thumbsup:The Control Center Update site location was totally swamped. Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted March 4, 2004 Author Share Posted March 4, 2004 I use the paid version of AVG. Paying for a product has its advantages. They use akamai to spread out the load for us paying customers. No waiting.... Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted March 4, 2004 Share Posted March 4, 2004 I use the paid version of AVG. Paying for a product has its advantages. They use akamai to spread out the load for us paying customers. No waiting.... Yep...the website uses that too ... so manual downloads are just as good. ;)But you are right ... there are advantages to paying. Quote Link to comment Share on other sites More sharing options...
Stonegiant Posted March 6, 2004 Share Posted March 6, 2004 Here's the source from it (excluding the attached file source)From - Fri Mar 05 22:42:20 2004X-UIDL: <mmbrlujgkbbkctitbqa@cox.net>X-Mozilla-Status: 0000X-Mozilla-Status2: 00000000Return-Path: <deleted@eielson.af.mil>Received: from oemcomputer ([24.48.146.50]) by lakemtai05.cox.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040305185704.IRAX3037.lakemtai05.cox.net@oemcomputer> for <deleted>; Fri, 5 Mar 2004 13:57:04 -0500Date: Fri, 05 Mar 2004 14:06:08 -0500To: <deleted>Subject: Important notify about your e-mail account.From: noreply@cox.netMessage-ID: <mmbrlujgkbbkctitbqa@cox.net>MIME-Version: 1.0Content-Type: multipart/mixed; boundary="--------bpprmpdlloxujbekiact"----------bpprmpdlloxujbekiactContent-Type: text/plain; charset="us-ascii"Content-Transfer-Encoding: 7bitHello user of Cox.net e-mail server,Some of our clients complained about the spam (negative e-mail content)outgoing from your e-mail account. Probably, you have been infected bya proxy-relay trojan server. In order to keep your computer safe,follow the instructions.For more information see the attached file.For security reasons attached file is password protected. The password is "44078".Best wishes, The Cox.net team Running AVG right now, btw This return path cracks me up. It's an Air Force address... Someone MUST have hijacked the Eielson Air Force Base host name (it's in Alaska, btw) for this. The sad thing is that people will actually open this kind of crap <sigh>...Edit: The file that is attached is TextFile.zip btw. Quote Link to comment Share on other sites More sharing options...
Stonegiant Posted March 6, 2004 Share Posted March 6, 2004 UpdateHmmm... I've done searches on Symantec and Trend Micro. I can't find this virus in their databases. The first I've ever done searches on those sites, so it is likely that I don't know how to do them properly. Anyways, I did read about virus writers putting their 'products' in password protected archives to try to avoid the virus scans. I am looking for that article. It wasn't very long ago, but I read a lot of articles each day Anywho, I am going to send the webmaster of the eielson af base an email about the person whose computer is likely infected. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted March 6, 2004 Share Posted March 6, 2004 Hi StoneGiant,That is actually the Bagel-K/Beagle.k worm.Sophos article: Have "The Management" sent you the Bagle-K worm? Sophos reports on latest viral disguise Sophos researchers have revealed that a newly discovered version of the Bagle worm (W32/Bagle-K), which is spreading in the wild, masquerades as a seemingly legitimate email from your business's IT department.Emails sent by the worm use a variety of different phrases in their subject line, and message body, to suggest to users that a problem has been found with their email account. Users are advised to click on the attached file (which can have a number of different combinations) for further information. In a crafty twist to give the message more credibility, references are made to the company's domain name to suggest the email has come from the business's internal IT department.We got one from our own domain ... literally, to me as administrator of our domain, saying it was from the administrator of our domain! NOT!Our ISP sent us a warning of this type of email that might come 'appearing' as though it came from them and letting everyone know it did not come from them, nor would they send an email with an attachment. Quote Link to comment Share on other sites More sharing options...
Stonegiant Posted March 6, 2004 Share Posted March 6, 2004 Ahh. OK. I saw that one and it didn't really look like what I had. btw, I updated AVG and it didn't find it on a full scan... Quote Link to comment Share on other sites More sharing options...
striker Posted March 6, 2004 Share Posted March 6, 2004 Got a special mail from Fred Langa about this one just a few days ago...in which he's warning the readers for a malicious worm being spread right now, it masquerades as a message from an isp--verizon,aol and others,even from me ("Dear user of Langa.com gateway e-mail server,...") or something similar.The email usually contains a password-protected Zip file with instructions on how to open it.DO NOT OPEN THE FILE ! It's not really from me--or Verizon,or AOL,or whomever.Those "From"addresses and other headers are faked,but very convincingly: the worm is quite clever.But the file is a trojan designed to infect your system.The worm-writers placed the file in a password-protected file to try to hide from some anti-virus tools.Don' t be fooled:JUST DELETE THE FILE AND THE EMAIL. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted March 6, 2004 Share Posted March 6, 2004 Looks like AVG may be listing this one as: I-Worm/Bagle.JSure wish the different antivirus software products would standardize naming schemes. Quote Link to comment Share on other sites More sharing options...
volunteer Posted March 6, 2004 Share Posted March 6, 2004 Our ISP sent us a warning of this type of email that might come 'appearing' as though it came from them and letting everyone know it did not come from them, nor would they send an email with an attachment.Fran, I got the same warning email and the very next day I recieved a virus infected email addressed from my ISP. Norton has been catching all of these viruses. To be safer though, I'm screening all my email on my ISP's web email inteface. I move all spam to the junk mail folder and delete what I don't want. I also don't reply to any email now, I just start a new email message using the web interface. Safer for me and the person I'm writing to.Netscape.net is offering free email accounts that are virus and spam scanned. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted March 6, 2004 Share Posted March 6, 2004 I hear ya volunteer! We all have to take serious precautions.I forward all my email for my domain through my ISP's email server. Their server based antivirus software updates every 2 hours so they pretty much get them as they become available. I was surprised and pleased to hear that!Apparently, that email I got that appeared to come from my domain 'administrator' ( fat chance) must have come through before the update was available to my ISP's antivirus software.However, because I use Thunderbird and do not allow any type of file/script to auto run or be opened, or any images to be viewed through Thunderbird (I save any files that I am expecting to disk and manually check them for viruses before opening them), I haven't even triggered my antivirus software, even if I happen to receive an email with a viral threat attached.I really like Thunderbird a lot! There are so many specific options available to make life easier and safer all around in the Windows world. Quote Link to comment Share on other sites More sharing options...
Stonegiant Posted March 9, 2004 Share Posted March 9, 2004 Got a special mail from Fred Langa about this one just a few days ago...in which he's warning the readers for a malicious worm being spread right now, it masquerades as a message from an isp--verizon,aol and others,even from me ("Dear user of Langa.com gateway e-mail server,...") or something similar.The email usually contains a password-protected Zip file with instructions on how to open it.DO NOT OPEN THE FILE ! It's not really from me--or Verizon,or AOL,or whomever.Those "From"addresses and other headers are faked,but very convincingly: the worm is quite clever.But the file is a trojan designed to infect your system.The worm-writers placed the file in a password-protected file to try to hide from some anti-virus tools.Don' t be fooled:JUST DELETE THE FILE AND THE EMAIL. That's where I remembered seeing that. I knew I saw it somewhere! Quote Link to comment Share on other sites More sharing options...
Jeber Posted March 9, 2004 Share Posted March 9, 2004 New "Sober" worm detected...Security Pipeline article Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted March 10, 2004 Author Share Posted March 10, 2004 Question for the group. I got sent a zipped attachment with a encrypted pass code on it. Obviously this is a virus but the message was formatted as if it was forwarded. ----- Original Message ----- From: <management@censored.net>To: <trgang@censored.net>Sent: Tuesday, March 09, 2004 5:01 PMSubject: E-mail account disabling warning.> Dear user of censored.net gateway e-mail server,>> Your e-mail account will be disabled because of improper using in next> three days, if you are still wishing to use it, please, resign your> account information.>> For further details see the attach.>> For security reasons attached file is password protected. The password is"60738".>> Sincerely,> The censored.net teamhttp://www.censored.net>Note the forward headers(domain name censored to protect the victims) and ">" leaders. I've seen this virus in the original format but not as forward. Is this a new strain? Or did some doofus HUMAN manually forward me this without even a note about who the person is. (I don't recognize the email address.) Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted March 10, 2004 Share Posted March 10, 2004 Weird one Nathan, haven't seen that one ... yet. LOL! Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted March 10, 2004 Author Share Posted March 10, 2004 Well it's not a new virus. It was a human. One of my clients. The email address is the one used by their ISP but not used by the client as they have a domain name. I didn't recognize it as such so I ignored it but when I didn't reply back to the email the client called me up. Fortunately she didn't even realize that there was an attachment. She just saw "we are cutting you off in three days" and forwarded it to me. She assumed I'd recognize the email address put two and two together and call up the ISP and "fix it". Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted March 10, 2004 Share Posted March 10, 2004 Ain't tech support grand LOL! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.