Bagel

Gillie

New Virus.

Looks nasty enough.
From Sophos:
"Sophos, a world leader in protecting businesses against spam and viruses, is warning of a new worm called Bagle-A (W32/Bagle-A). Following many reports in Australia, Sophos has already started to see multiple reports coming from the UK and other countries, and users are advised to be cautious of emails received over the weekend with the subject line "Hi".

The Bagle-A worm (also known as Beagle) arrives as an email message which talks about a test and has an attachment - a program file with a random name. This file which can pretend to be the Windows calculator, opens a security hole in the infected user's computer which can be exploited by hackers."

It also uses spoofs both Sender and receivers address!
Its prevalance is very fast also!

Capt'n Midnight

That's why all files containing executable content should be quarantined by default. (got one just before lunch.)

Gillie

True.
They are on our site but it still got in!:(
I think we have it under control now

dmd

Any bell end that's infected deserves it.

Ste.phen

i got a copy of this in an email yesterday, Norton 2003 didnt pick it up, but Outlook blocked my access to it (which was nice of it )

anyways, i received a bounced email today, which was a copy of the virus, saying it couldnt be delivered to a certain address, and with myself as the return address...

i'm almost sure i dont have this virus, and the headers seem to imply it was sent from either here (DIT labs) or somewhere on the NUI Maynooth network?
I use a text only mail client here, so i doubt thats it.

What gives? I thought most of these viruses use the infected users address for the "From" field?

Capt'n Midnight

Many email viruses look at the victims inbox to fill in the fields in the header - from / to / subject / attachment name / text etc. etc.

I'd be supprised if they like spammers don't get more tricky as time goes on - eg: sending out of office replies, waiting until pc not being used / middle of night / weekends before activating to avoid detection

Gillie

More info on Bagel. Could be another Sobig:

Computer-security experts fear a new worm -- Bagle-A -- which has begun spreading rapidly across Australian email networks could be a rehearsal for a more concerted attack in coming weeks.


eAccording to Daniel Zatz, security director for Computer Associates Australia, Bagle-A carries an expiry date, possibly indicating more robust versions of the worm could be ready for release soon.


According to Zatz, while Bagle-A is already successful, responsible for an alarming 80 percent jump in queries to CA's help desk and in virus submissions to rival computer security company Sophos, the current version of the worm contains bugs.


Comparing Bagle to the infamous Sobig virus which flooded global email networks last year, Zatz fears that a more virulent version of new worm could appear soon.


"One of our biggest concern is that if we look back a year ago at the Sobig variants, they all had drop-dead dates, and every time one hit that drop dead date a new variant came out; a new and improved variant of it," said Zatz.


Bagle-A is due to expire on January 28, suggesting tuned variations of the worm could appear as early next week.


Bagle-A's creators, like authors of many previous successful worms, have relied on the ignorance and curiosity of email users for the worm's success.


The worm arrives in email inboxes as a message containing few lines of text suggesting that the email may be from system administrator, as well as an executable attachment. When the attachment is activated by its receiver the worm then installs a program on the recipient computer that allows the worm to be emailed on to other users in the system's local address book.


The worm also attempts to installs a backdoor or Trojan on infected machines, listening for activity on port on 6777.


Sean Richmond, support manager with anti-virus software vendor Sophos Australia and New Zealand, said the company was still examining the Trojan to see what else it was capable of.


Given that most corporate email servers block transmission of executable attachments, CA's Zatz believes that home and medium-sized enterprise users are responsible for spreading the new worm.


Zatz could give no other explanation for the worm's apparent success than "pure curiosity" on the users' part.


Another possible factor in the worm's success, Zatz said, was the fact the worm's creators programmed the worm to email itself to handful of popular domains to evade swift detection by dominant Web enterprises such as Hotmail, MSN and a large Russian computer security agency.


Richmond said favourable timing may help contain the Bagle. According to Richmond, Bagle's appearance in the Asia-Pacific region should give antivirus companies adequate time to prepare software and procedures for US and European companies before they open for trading.


Users who suspect their computers may be infected with the virus should look for a file called bbeagle.exe in their Windows System directory. The file disguises itself with Microsoft's familiar calculator icon.

dmd

About my last post, to make things more clear.

If you get an exe file from anybody, even from your mother, or anybody you work with, unless you can take apart the headers and still magically verify it's not an internal worm/virus, then don't execute it. If you execute a .exe file from outlook, then there is a fairly serious risk it's a virus.

Lets take a look at an exe, it's a compiled file, so you can't see its internal workings, what if i have it as basically remove your c: drive and everything else, it could easily be that, coming from somebody in work or somebody you trust, how can you tell who exactly it came from unless you check the headers and then chekc dhcp logs or check who has the static ip internally. As for outside, then maybe it's a NAT gateway, so it really could come from anybody in that company. Maybe that person has been infected, maybe the worm is feeding off their address book after compromising the local network.

Do no execute any attachments. ever.

The reason for my last post was, no matter what I say, or how I explain it, will make anybody change. If you would have executed an exe file, you'll probably still execute it after you read this.

The bagle virus goes as an exe file, I mean jesus how plain can it be, at least with a bat or pif file you can read it very easily before you run it, people who run exe files in windows are running a very high risk, it can basically do anything that you can do, logged in as the user you are logged in as.

Just have some basic common sense, don't execute any incoming files, if you see an exe file from 'cracks 'r us' then don't run that, it's the same thing. Google a bit, see what you need to do.

Gillie

DMD.
Who are you talking to here?
I posted info on the Virus to warn fellow IT ppl and maybe the odd Joe Soap here.
I am well aware of the issues surrounding viruses, exe's etc.
(In case your last two posts are replies directed at me. If not - sorry)

Just wanted to clear that up!:)

Jaden

Any admin who lets any file capable of running code through their mailserver should have rusty clothespegs affixed to their nipples.

It's madness. It's like pulling down your trousers, greasing up your ass with vaseline, and wandering into the blue oyster. Same end effect.

Ban the following by default:

.exe
.bat
.pif
.scr
.com
.shs
.hta
.vbs
.msi

I also ban all sound and video files - Waste of bandwidth. However, sometimes they are legit. In that case, I just pass the mail out of quanantine.

Gillie

Same here Jaden. All the files you've mentioned are blocked by default.

I suspect this got in through a Dial Up connection somehow!?!
Although I thought the Virus only propagated through SMTP.

Blue Oyster!:p

Capt'n Midnight

You are missing a few..

.dll
.inf
.ins
.cmd
.vbe
.lnk
.js
.jse
.vxd
.386
.cab
.sys
.drv

.eml
.msg

and loads of multimedia files that contain exploits
and most microsoft files that can contain macros

Note: many viruses contain their own SMTP sw in their payload ..

Jaden

Now there's a useful list. Someone should sticky those two posts.

I let Word, powerpoint and excel files through (You kinda have to). Macros are less of a problem seeing as our OpenOffice rollout is at about 40% and rising. (80%+ complete by Q2 2004).

You should really ban: (Not an absolute list by any means).

.mp3
.ogg
.wav
.aiff
.au
.wma
.mid

.mpg
.mpeg
.avi
.asf
.wmv
.mov
.mpe
.qt

Ban .xml just for the craic.

Gillie

What about .ZIP?
After MiMail?
Would ye agree?

BTW. A sticky is a great idea!

Jaden

Banning ZIP files would be nice, but contrary to the primary It purpose of keeping business moving.

In a perfect world, users would never be let near the Intarweb. It would be reserved for people who were qualified to use it, a bit like a driving test.

BogoBot

Not a situation I'd like to find myself in but if its of any use to anyone.....

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
From: Joe Stewart <jstewart@lurhq.com>
To: TH-Research
Subject: [TH-research] Bagle remote uninstall
Date: Tue, 20 Jan 2004 17:19:41 -0500

Mail from Joe Stewart <jstewart@lurhq.com>

If you can't wait till January 28, Bagle has a remote uninstall command
which can be sent over port 6777, the port also used to upload the
second stage.

For instance, using perl and netcat, you could send the uninstall
command with the one-liner below:
perl -e 'print "\x43\xff\xff\xff\x00\x00\x00\x00\x0412\x00"' \
| nc infected_host_IP 6777

When the command bytes above are received by an infected host, the virus
will exit and delete its executable (using a batch script after the
fact). The registry keys are not removed.

-Joe

--
Gadi Evron,
ge@linuxbox.org.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>