January 20, 2004
Virus Alert: W32/Bagle@MM

W32/Bagle@MM is a mass-mailing worm. The worm arrives in an email message with the following characteristics:

From: (address may be forged)
Subject: Hi
Body:
Test =)
(random characters)
--
Test, yep.

Attachment: (random filename) 15,872 bytes

example:

frjujs.exe

When the attachment is run, the virus checks the system date. If the date is January 28, 2004 or later, the virus simply exits and does not propagate. Otherwise, the virus executes CALC.EXE and also copies itself as bbeagle.exe, and sets itself to load when you startup your machine. The worm uses your email address lists to send itself to others.

The virus spoofs the sender address (if you receive one, it's likely not sent by the address in the FROM: line).

You can tell if you're infected by going to Start--Search (or Find) and searching for a file called bbeagle.exe. If this file is on your computer, you're infected.

If you have not opened an attachment, you are not infected. If you get a mail message where the subject begins with "Virus Detected and Cleaned" the virus has already been removed from that message.

To remove the virus:

  1. Run Scout (over the network; do not use the Scout CD)
  2. Click on 'Configure'
  3. Select 'Advanced'
  4. Click on 'Done'
  5. Download 'McAfee Stinger'
  6. Setup of Stinger includes running it.
  7. When completed, go back into Scout, click on 'Configure'
  8. Select 'Current'
  9. Click on 'Done'

Some important notes about viruses

  • DON'T open attachments
    This is important NOT ONLY when the attachments are from people you don't know, but ALSO when they are from people you do know but are contained in suspicious-looking emails that you normally don't receive from these people.
  • If the body of the message (nonsense words, for instance) looks suspicious, EVEN IF it's from someone you know, check with that person first before opening the attachment.
  • DON'T EVER open attachments that have a .EXE extension unless you're explicitly expecting that specific file from that specific person.

For more information about the W32/Bagle@MM virus, check http://vil.nai.com/vil/content/v_100965.htm

Posted by dcoates at January 20, 2004 10:49 AM