Viruses Worms Trojans ... Oh, my!

[nlinecomputers]

Dear Trend Micro customer:A new variant of the BAGLE worm has been found in the wild. TrendLabs HQ received numerous infection reports of this new malware spreading in France.  As of February 17, 2004 6:44 AM (US Pacific Time), TrendLabs has declared a YELLOW ALERT to control the spread of WORM_BAGLE.B. This memory-resident worm propagates by mass-mailing copies of itself using SMTP (Simple Mail Transfer Protocol). The email message it sends out contains the following details: Subject: ID %random% ... thanksFrom: <random letters>@<spoofed domain>Message body: Yours ID <random> -- ThankAttachment: <random>.exeUpon execution, it drops a copy of itself as AU.EXE in the Windows system folder. This malware runs on Windows 95, 98, ME, NT, 2000 and XP. TrendLabs will be releasing the following EPS deliverables: TMCM Outbreak Prevention Policy 78Control Pattern Release 767Damage Cleanup Template 260For more information on WORM_BAGLE.B, you can visit our Web site at:http://www.trendmicro.com/vinfo/virusencyc...me=WORM_BAGLE.BPlease inform us if there are any infection reports in your region.****************************************************************************************** You are receiving this email from Trend Micro, because you have either downloaded a Trend Micro product or have signed up to receive "Virus Alerts."  ******************************************************************************************______________________________________________________________________This message was sent by Trend Micro's Newsletters Editor using Responsys Interact .If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:    http://trendnewsletter.rsc03.net/servlet/w...tEhEzNIlJkpILklTo view our permission marketing policy:    http://www.rsvp0.net

[Guest LilBambi]

One of my clients said their network at work got hit by this today.Oh, joy ... another beagle bagle!

[nlinecomputers]

Another new one spreading fast. Trend Micro gets all the nasty ones...

Dear Trend Micro customer:As of February 18, 2004 5:06 AM PST, TrendLabs has declared a YELLOW ALERT to control the spread of  WORM_NETSKY.B spreading in Japan and Germany. Initial analysis indicates that this memory-resident worm propagates vial email.It drops copies of itself as an executable having two extension names and using the icon of Word. The said copies are dropped in shared folders.This malware runs on Windows 95, 98, ME, NT, 2000 and XP. TrendLabs will be releasing the following EPS deliverables: TMCM Outbreak Prevention Policy 80Control Pattern Release 769Damage Cleanup Template 262For more information on WORM_NETSKY.B, you can visit our Web site at:http://www.trendmicro.com/vinfo/virusencyc...e=WORM_NETSKY.BPlease inform us if there are any infection reports in your region.*******************************************************************************************You are receiving this email from Trend Micro because you have signed up to receive virus alert notifications. Help us improve this service by giving us feedback at:http://www.trendmicro.com/survey/SurveyFor...v=WORM_NETSKY.B*******************************************************************************************______________________________________________________________________This message was sent by Trend Micro's Newsletters Editor using Responsys Interact .If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:    http://trendnewsletter.rsc03.net/servlet/w...3vyf_u.260zd5_8To view our permission marketing policy:    http://www.rsvp0.net

[nlinecomputers]

New version of Netsky is on the loose. Netsky.CDetails here.Symantec NetSky.C at Level 3McAfee Medium RiskTrend Micro - RED alertUpdate your virus scanners. This is spreading FAST in the USAEdit: Trend Micro now lists this as a RED ALERT due to very high spread rate in Australia. Expect major outbreak to continue in the USA as e-mail is opened at work.

Edited February 26, 2004 by nlinecomputers

[Guest LilBambi]

Thanks Nathan!Here we go again .... Netsky.DSophos: Netsky-DSymantec: Netsky.DTrendMicro: Netsky-DAnd ... two more new Beagle/Bagle's too! And this on the tail of Symantec moving Beagle.E to Category 3 today (yesterday it was Category 2).Bagle-FSophos: Bagle-FSymantec: Beagle.FTrendMicro: Bagle-FBagle-GSophos: Bagle-GSymantec: Beagle.GTrendMicro: Bagle-G

[Guest LilBambi]

As of March 2, 2004 - Netsky-D is now a Category 4 risk according to Symantec ... in just two days!!

[nlinecomputers]

Yep and I may have my first victims of it. 3 calls for today that all sound like this virus.

[Guest LilBambi]

Gawd! Have you noticed that every single one of the top 5 Category 3 and the 2 Top Category 4 threats have only been unleashed since January 26, 2004!!And here we are with the Beagle/Bagle thing too .. Fistful of Bagles shoot up the Net

Five new versions of the Bagle worm escaped on to the Web at the weekend. Just one, the medium-risk Bagle-C, has spread widely. The new bagles - C through to G - have minor differences only. It seems that unknown virus writers are trying different tactics to fool users into spreading their malicious code. All seven Bagle variants affect Windows PCs only. Bagle-C commonly arrives by email as a zipped EXE file with the icon of an Excel spreadsheet file and various different subject lines and attachment names. The body of the messages is empty, and the sender address in the email is spoofed. If you open this executable attachment you may infect your PC. The worm includes a back door component which disables some security software packages. It may also be used to collect the addresses of infected computers, according to F-Secure, an anti-virus software vendor. Bagle-C scours the hard drives of infected computers for email addresses. It then sends copies of itself to these addresses using its own SMTP engine. The worm is programmed to stop spreading after March 14.

And this doesn't even account for the newest ones H and I listed as Category 2 already today! Edited March 2, 2004 by LilBambi

[nlinecomputers]

Yep,I'm trying to download the new f-prot files for this morning. The servers are overloaded. A 10 sec download is taking 10 minutes. May not get this before I have to leave for my client. Know any good mirrors for f-prot? Even my linux server's cron job failed to grab it. Timed out.

[Guest LilBambi]

Hmmm, no, I don't ... I always get them from the F-Prot site itself.

[ibe98765]

The Wall Street Journal is running an article that says the new wave of net virues signals a hacker rivalry or competition for bragging rights between hackers is underway.

[Peachy]

Most of the anti-virus vendor web sites are clogged as everyone updates their definitions. I can't update my AVG and I know there have been 3 definition updates today. PCWorld has a story on the virus writer war!

[Peachy]

Just downloaded the new definition manually. This is the fourth one today!

[Guest LilBambi]

Got all four of mine manually at the Grisoft.com website. :thumbsup:The Control Center Update site location was totally swamped.

[nlinecomputers]

I use the paid version of AVG. Paying for a product has its advantages. They use akamai to spread out the load for us paying customers. No waiting....

[Guest LilBambi]

I use the paid version of AVG.  Paying for a product has its advantages.  They use akamai to spread out the load for us paying customers.  No waiting....    

Yep...the website uses that too ... so manual downloads are just as good. ;)But you are right ... there are advantages to paying.

[Stonegiant]

Here's the source from it (excluding the attached file source)From - Fri Mar 05 22:42:20 2004X-UIDL: <mmbrlujgkbbkctitbqa@cox.net>X-Mozilla-Status: 0000X-Mozilla-Status2: 00000000Return-Path: <deleted@eielson.af.mil>Received: from oemcomputer ([24.48.146.50]) by lakemtai05.cox.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040305185704.IRAX3037.lakemtai05.cox.net@oemcomputer> for <deleted>; Fri, 5 Mar 2004 13:57:04 -0500Date: Fri, 05 Mar 2004 14:06:08 -0500To: <deleted>Subject: Important notify about your e-mail account.From: noreply@cox.netMessage-ID: <mmbrlujgkbbkctitbqa@cox.net>MIME-Version: 1.0Content-Type: multipart/mixed; boundary="--------bpprmpdlloxujbekiact"----------bpprmpdlloxujbekiactContent-Type: text/plain; charset="us-ascii"Content-Transfer-Encoding: 7bitHello user of Cox.net e-mail server,Some of our clients complained about the spam (negative e-mail content)outgoing from your e-mail account. Probably, you have been infected bya proxy-relay trojan server. In order to keep your computer safe,follow the instructions.For more information see the attached file.For security reasons attached file is password protected. The password is "44078".Best wishes, The Cox.net team Running AVG right now, btw This return path cracks me up. It's an Air Force address... Someone MUST have hijacked the Eielson Air Force Base host name (it's in Alaska, btw) for this. The sad thing is that people will actually open this kind of crap <sigh>...Edit: The file that is attached is TextFile.zip btw.

[Stonegiant]

UpdateHmmm... I've done searches on Symantec and Trend Micro. I can't find this virus in their databases. The first I've ever done searches on those sites, so it is likely that I don't know how to do them properly. Anyways, I did read about virus writers putting their 'products' in password protected archives to try to avoid the virus scans. I am looking for that article. It wasn't very long ago, but I read a lot of articles each day Anywho, I am going to send the webmaster of the eielson af base an email about the person whose computer is likely infected.

[Guest LilBambi]

Hi StoneGiant,That is actually the Bagel-K/Beagle.k worm.Sophos article: Have "The Management" sent you the Bagle-K worm? Sophos reports on latest viral disguise

Sophos researchers have revealed that a newly discovered version of the Bagle worm (W32/Bagle-K), which is spreading in the wild, masquerades as a seemingly legitimate email from your business's IT department.Emails sent by the worm use a variety of different phrases in their subject line, and message body, to suggest to users that a problem has been found with their email account. Users are advised to click on the attached file (which can have a number of different combinations) for further information. In a crafty twist to give the message more credibility, references are made to the company's domain name to suggest the email has come from the business's internal IT department.

We got one from our own domain ... literally, to me as administrator of our domain, saying it was from the administrator of our domain! NOT!Our ISP sent us a warning of this type of email that might come 'appearing' as though it came from them and letting everyone know it did not come from them, nor would they send an email with an attachment.

[Stonegiant]

Ahh. OK. I saw that one and it didn't really look like what I had. btw, I updated AVG and it didn't find it on a full scan...

[striker]

Got a special mail from Fred Langa about this one just a few days ago...in which he's warning the readers for a malicious worm being spread right now,

it masquerades as a message from an isp--verizon,aol and others,even from me ("Dear user of Langa.com gateway e-mail server,...") or something similar.The email usually contains a password-protected Zip file with instructions on how to open it.DO NOT OPEN THE FILE ! It's not really from me--or Verizon,or AOL,or whomever.Those "From"addresses and other headers are faked,but very convincingly: the worm is quite clever.But the file is a trojan designed to infect your system.The worm-writers placed the file in a password-protected file to try to hide from some anti-virus tools.Don' t be fooled:JUST DELETE THE FILE AND THE EMAIL.

[Guest LilBambi]

Looks like AVG may be listing this one as: I-Worm/Bagle.JSure wish the different antivirus software products would standardize naming schemes.

[volunteer]

Our ISP sent us a warning of this type of email that might come 'appearing' as though it came from them and letting everyone know it did not come from them, nor would they send an email with an attachment.

Fran, I got the same warning email and the very next day I recieved a virus infected email addressed from my ISP. Norton has been catching all of these viruses. To be safer though, I'm screening all my email on my ISP's web email inteface. I move all spam to the junk mail folder and delete what I don't want. I also don't reply to any email now, I just start a new email message using the web interface. Safer for me and the person I'm writing to.Netscape.net is offering free email accounts that are virus and spam scanned.

[Guest LilBambi]

I hear ya volunteer! We all have to take serious precautions.I forward all my email for my domain through my ISP's email server. Their server based antivirus software updates every 2 hours so they pretty much get them as they become available. I was surprised and pleased to hear that!Apparently, that email I got that appeared to come from my domain 'administrator' ( fat chance) must have come through before the update was available to my ISP's antivirus software.However, because I use Thunderbird and do not allow any type of file/script to auto run or be opened, or any images to be viewed through Thunderbird (I save any files that I am expecting to disk and manually check them for viruses before opening them), I haven't even triggered my antivirus software, even if I happen to receive an email with a viral threat attached.I really like Thunderbird a lot! There are so many specific options available to make life easier and safer all around in the Windows world.

[Stonegiant]

Got a special mail from Fred Langa about this one just a few days ago...in which he's warning the readers for a malicious worm being spread right now,

it masquerades as a message from an isp--verizon,aol and others,even from me ("Dear user of Langa.com gateway e-mail server,...") or something similar.The email usually contains a password-protected Zip file with instructions on how to open it.DO NOT OPEN THE FILE ! It's not really from me--or Verizon,or AOL,or whomever.Those "From"addresses and other headers are faked,but very convincingly: the worm is quite clever.But the file is a trojan designed to infect your system.The worm-writers placed the file in a password-protected file to try to hide from some anti-virus tools.Don' t be fooled:JUST DELETE THE FILE AND THE EMAIL.

That's where I remembered seeing that. I knew I saw it somewhere!

[Jeber]

New "Sober" worm detected...Security Pipeline article

[nlinecomputers]

Question for the group. I got sent a zipped attachment with a encrypted pass code on it. Obviously this is a virus but the message was formatted as if it was forwarded.

----- Original Message ----- From: <management@censored.net>To: <trgang@censored.net>Sent: Tuesday, March 09, 2004 5:01 PMSubject: E-mail account disabling warning.> Dear user  of censored.net gateway e-mail server,>> Your e-mail  account will be disabled because of improper  using in next> three days, if you are still wishing to use it, please, resign your> account  information.>> For further details see the  attach.>> For  security reasons attached file is password protected. The password is"60738".>> Sincerely,>  The  censored.net teamhttp://www.censored.net>

Note the forward headers(domain name censored to protect the victims) and ">" leaders. I've seen this virus in the original format but not as forward. Is this a new strain? Or did some doofus HUMAN manually forward me this without even a note about who the person is. (I don't recognize the email address.)

[Guest LilBambi]

Weird one Nathan, haven't seen that one ... yet. LOL!

[nlinecomputers]

Well it's not a new virus. It was a human. One of my clients. The email address is the one used by their ISP but not used by the client as they have a domain name. I didn't recognize it as such so I ignored it but when I didn't reply back to the email the client called me up. Fortunately she didn't even realize that there was an attachment. She just saw "we are cutting you off in three days" and forwarded it to me. She assumed I'd recognize the email address put two and two together and call up the ISP and "fix it".

[Guest LilBambi]

Ain't tech support grand LOL!