Date: Wed, 3 Mar 2004 00:40:45 -0500 (EST) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Virus Alert: Bagle.J Worm ---------------------------------------------------- BAGLE.J WORM MASQUERADES AS OFFICIAL BCPL.NET E-MAIL ---------------------------------------------------- We are starting to see e-mail carrying a virus that McAfee Virus Scan identifies as W32/BAGLE.J@MM, a new version of the Bagle Worm, a.k.a. the Beagle Worm. The McAfee Virus Scan and Norton Antivirus virus definition files required to detect Bagle.J were issued late this evening, so this is a very new virus. This new version of the Bagle Worm is especially troubling because it disguises itself in such a way that many BCPL.NET customers will probably be fooled into opening the file attachment, thereby infecting their PCs. Bagle.J sends e-mail with spoofed (forged) "From:" addresses that make the messages look like they are from the recipient's Internet Provider. Fortunately the spoofed "From:" addresses are not addresses we use here at BCPL.NET, so will be easy to spot if the recipient is alert. Official e-mail from BCPL.NET is sent ONLY from the following five addresses: ispadmin@bcpl.net dnsadmin@bcpl.net accounts@bcpl.net abuse@bcpl.net help@bcpl.net If you receive official-looking e-mail from any other address ending with "@bcpl.net", it is NOT from us and probably contains a virus. Furthermore, official e-mail from BCPL.NET staff never includes file attachments. If you receive e-mail with a file attachment that appears to be from BCPL.NET staff, it is not really from BCPL.NET staff and probably contains a virus. How The Bagle.J Worm Spreads ---------------------------- Bagle.J is spread in the form of an e-mail file attachment that installs the worm on the target PC if the attachment is opened. It also spreads via peer-to-peer file sharing networks such as KaZaA and iMesh. Via E-Mail: ---------- When a PC becomes infected, Bagle.J compiles a list of target e-mail addresses from addresses found in the address book, in saved e-mail, and in other files on the infected computer. It then mails infected file attachments to all those addresses. It does this each time the infected PC boots up and connects to the Internet. Infected E-mail sent by PCs infected by Bagle.J have the following characteristics: From Address: One of the following: o management@bcpl.net o administration@bcpl.net o staff@bcpl.net o noreply@bcpl.net o support@bcpl.net Subject: One of the following: o E-mail account disabling warning. o E-mail account security warning. o Email account utilization warning. o Important notify about your e-mail account. o Notify about using the e-mail account. o Notify about your e-mail account utilization. o Warning about your e-mail account. Message Text: One of the following lines: o Dear user of bcpl.net, o Dear user of bcpl.net gateway e-mail server, o Dear user of e-mail server "bcpl.net", o Hello user of bcpl.net e-mail server, o Dear user of "bcpl.net" mailing system, o Dear user, the management of bcpl.net mailing system wants to let you know that, Followed by one of the following paragraphs: o Your e-mail account has been temporary disabled because of unauthorized access. o Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service. o Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information. o We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions. o Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software. o Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. Followed by one of the following lines: o For more information see the attached file. o Further details can be obtained from attached file. o Advanced details can be found in attached file. o For details see the attach. o For details see the attached file. o For further details see the attach. o Please, read the attach for further details. o Pay attention on attached file. Followed by one of the following lines (if the attachment is a .zip file) o For security reasons attached file is password protected. The password is "". o For security purposes the attached file is password protected. Password is "". o Attached file protected with the password for security reasons. Password is . o In order to read the attach you have to use the following password: . Followed by one of the following lines: o The Management, o Sincerely, o Best wishes, o Have a good day, o Cheers, o Kind regards, Followed by: o The bcpl.net team http://www.bcpl.net Attachment: One of the following file names with a .EXE, .PIF or .ZIP extension: o Attach o Information o Readme o Document o Info o TextDocument o TextFile o MoreInfo o Message The icon used for the file makes it appear to be a WordPad document. If you have accounts with other Internet Providers or companies, substitute that ISP's or company's domain name where you see "bcpl.net" in the above description. For example, if you also have a Comcast cable modem connection, in your Comcast e-mail you may see infected mail from "management@comcast.net" instead of "management@bcpl.net". Via Peer-To-Peer File Sharing ----------------------------- When Bagle.J infects a PC it searches the PC's hard disk for folders that are shared out on peer-to-peer file sharing networks such as KaZaA or iMesh. If found, it installs the following infected files in those folders: o ACDSee 9.exe o Adobe Photoshop 9 full.exe o Ahead Nero 7.exe o Matrix 3 Revolution English Subtitles.exe o Microsoft Office 2003 Crack, Working!.exe o Microsoft Office XP working Crack, Keygen.exe o Microsoft Windows XP, WinXP Crack, working Keygen.exe o Opera 8 New!.exe o Porno pics arhive, xxx.exe o Porno Screensaver.scr o Porno, sex, oral, anal cool, awesome!!.exe o Serials.txt.exe o WinAmp 5 Pro Keygen Crack Update.exe o WinAmp 6 New!.exe o Windown Longhorn Beta Leak.exe o Windows Sourcecode update.doc.exe o XXX hardcore images.exe Once installed in the shared folder, the Bagle.J-infected files are distributed via the peer-to-peer file sharing network in which the PC's owner participates. What Bagle.J Does To The Infected PC ------------------------------------ In addition to turning the infected PC into an unwitting re-distributor of the the Bagle.J Worm, the worm sets up a back door on the infected PC that allows an attacker to connect to the computer and use it as a proxy for malicious activities. For example, an attacker can install software that allows him to use the infected computer as a proxy relay for sending spam. The worm sends the infected PCs IP address to several hacker Web sites, announcing to the hacker community that the back door has been installed and the PC is vulnerable to attack. The worm attempts to terminate processes associated with the update functions of most anti-virus programs. If successful, this prevents the anti-virus software's virus definition files ("DAT" files) from being updated. How To Protect Your PC From Bagle.J Worm Infection -------------------------------------------------- o If you have anti-virus software on your PC, *and* if it is configured to scan incoming e-mail for viruses, *and* if its virus description database is up-to-date enough to know about Bagle.J, then it will stop Bagle.J before it can infect your PC. However the virus description database must be *very* new. The Bagle.J Worm was discovered and described by the major anti-virus software vendors late in the afternoon of February 2, 2004, so a virus description database older than that will not enable your anti-virus software to detect and stop Bagle.J. We recommend that you update your virus description database at least once a week, although given the rate at which new PC viruses appear once a day would be even better. If you do not keep your virus description database up to date, then your anti-virus software is virtually useless. IMPORTANT: Bagle.J and several other recent viruses are sometimes distributed in compressed "ZIP" files. Your anti-virus software must be configured to look inside .ZIP files in order to detect these viruses. Most anti-virus programs are not configured that way by default. You need to manually change the configuration to make the program search for viruses inside .ZIP files. o If you receive a message containing a file attachment DO NOT open the attachment unless *all* of the following are true: - The sender is known to you. - You are expecting a file attachment from that person. - The sender clearly identifies the nature of the file attachment in the text of the message. If any one of those three statements is not true, delete the message. DO NOT open the file attachment. When in doubt, get in touch with the apparent sender to confirm that he/she actually sent the attachment. o If you use KaZaA or any of the other peer-to-peer file sharing networks, be VERY careful what you download. It is estimated that at least 50% of the files made available via peer-to-peer file sharing are "malware", meaning viruses, worms, trojans and other malicious programs disguised as something else. o In the final analysis you are your own best defence against virus infection. All it takes is a bit of common sense. How To Remove The Bagle.J Worm From An Infected PC -------------------------------------------------- If your PC becomes infected by Bagle.J, and if you have anti-virus software on the PC, then your virus definition database must be too old to detect Bagle.J. Otherwise your anti-virus software would not have allowed the worm to infect your PC in the first place. Update your virus definitions database, then use the anti-virus software to scan your hard drive. If you do not have anti-virus software, or if you have trouble with the software vendor's instructions for dealing with a Bagle.J-infected PC, or if you just want a quick fix, we recommend that you download and run the "Stinger" utility provided free of charge by McAfee. You will find it on the McAfee web site at: http://vil.nai.com/vil/stinger/ Stinger will remove Bagle.J and several other recent worms and viruses. Please follow the instructions on the Stinger web page very carefully! IMPORTANT: In order to remove Bagle.J you need Stinger version 2.1.0 (or later), which was posted to the Network Associates web site on March 2nd. If you already have an older version of Stinger, it will not remove a Bagle.J infection. ALSO IMPORTANT: Stinger is a virus removal tool, not a virus protection tool. It will remove Bagle.J and other recent viruses from a PC that is already infected, but it will not prevent the PC from becoming re-infected. That requires a comprehensive anti-virus program like McAfee Virus Scan, Norton Antivirus, or any of a dozen or so others that are on the market. More Information About The Bagle.J Worm: --------------------------------------- This alert was compiled from information found on the following well-known virus information Web sites. Please visit them if you are interested in more detailed information. http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101071 http://www.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html http://www.f-secure.com/v-descs/bagle_j.shtml http://www.sophos.com/virusinfo/analyses/w32baglej.html -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. Web Site: http://www.bcpl.net Who To Contact For What: http://www.bcpl.net/contacts/