W32/Bagle.ah@mm Last Updated 7/19/04 7:00PM
CIT has been notified of a new email virus called W32/Bagle.ah@mm. This is a mass-mailing worm that harvests email addresses from infected machines. Emails are forged to appear to be sent by an address collected from the infected machine.
From: Spoofed email address
Examples of subjects lines are:
- Password: %s
- Pass - %s
- Key - %s
- Re:
- foto3
- fotogalary
- fotoinfo
- Lovely animals
- Animals
- Predators
- The snake
- Screen
Body: is empty
Attachment:(Two attachments, Possibly a .bmp and one of the following file types: EXE, .SCR, .COM, .ZIP, .CPL)
Example
- foto3.exe
- foto2.scr
- foto1.com
- Secret.zip
- Doll.cpl
- Garry.exe
- Cat.scr
- Dog.com
- Fish.zip
The .bmp contains a password to open the attachment if it is a password protected .zip
The worm also propagates through peer to peer networks with open directories that contain the string shar
McAfee (formerly NAI) has released SuperDat 4379 and later to detect and remove W32/Bagle.ah@mm.
Symantec will be releasing definitions dated 4/26/04 and later to detect and remove beagle.w@MM.
For more Information:
From McAfee.
From Symantec.
This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.