Date: 19 January 2004
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2004.01 -- AUSCERT ALERT
Email worm W32.Beagle.A/Win32.Bagle.A
19 January 2004
===========================================================================
AusCERT has become aware of a new mass-mailer worm that is causing disruption
to regular traffic on Australian email servers. The worm arrives in messages
with this format:
Subject: Hi
Test =)
tgfihkokyojtrnjjr
--
Test, yep.
The second line of the body (eg. tgfihkokyojtrnjjr, above) may contain any
random text string. The attachment has a MIME type of application/x-msdownload
and has a random filename with a .exe extension - example MIME header:
Content-Type: application/x-msdownload; name="juvgvku.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="ytdckhseku.exe"
Upon execution, the executable scans for email addresses in all files with
the extensions .wab, .txt, .htm and .html. Additionally, TCP port 6777 is
opened on the infected computer and it attempts to contact remote websites
to report infection by calling a PHP script. Due to inbuilt routines, this
worm will not execute after 28 January 2004.
When possible, upgrade all anti-virus software to use the latest definition
files as soon as they become available.
Users should remain aware of the danger of opening unsolicited email attachments.
REFERENCES:
[1] Protecting your computer from malicious code
http://www.auscert.org.au/render.html?it=3352
[2] F-Secure Virus Descriptions
http://www.f-secure.com/v-descs/bagle.shtml
[3] Symantec Security Response
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html
[4] Computer Associates Virus
http://www3.ca.com/virusinfo/virus.aspx?ID=38019
[5] McAfee Security
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100965
[6] Trend Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.A
[7] Sophos virus analysis
http://www.sophos.com/virusinfo/analyses/w32baglea.html
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this security bulletin is accurate at the time of publication.
However, the decision to follow or act on information or advice contained in
this security bulletin is the responsibility of each user or organisation, and
should be considered in accordance with your organisation\'s site policies and
procedures. AusCERT takes no responsibility for consequences which may arise
from following or acting on information or advice contained in this security
bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQAtRwSh9+71yA2DNAQFfbwP9EyB/0X9s6pdakU4Dff9wbMvQliOySYHt
Pb45lxBZuj+z0YzBWZi4J9chJhHjGlB4O7e1uG8m18MdiCLZs5IlgqIHssULDABz
MwspV/qxtRescZ46PidAWGjg7wR6ciM7qU9zZ/IoFOxhIwRBTI8XCXWdYbECTeTy
y49dZRZw8hs=
=YPyR
-----END PGP SIGNATURE-----
|