W32/Bagle.z@mm (aka worm_bagle.X@mm by Trend Micro) Last Updated 4/26/04 4:30PM
CIT has been notified of an email virus called W32/Bagle.z@mm. This is a mass-mailing worm that harvests email addresses from infected machines. Emails are forged to appear to be sent by an address from the @nih.gov domain. This mass-mailing worm has two attachments included. Recent email samples show a .jpg and a .cpl attachment.
From: alias@nih.gov
- annie@ (domain of recipient)
- christina@ (domain of recipient)
- christy@ (domain of recipient)
- jessie@ (domain of recipient)
- lizie@ (domain of recipient)
- secretGurl@(domain of recipient)
Examples of subjects lines are:
- Hey!
- Let's talk, my friend!
- Hello!
- Hey!
- Let's socialize, my friend!
- Let's talk, my friend!
- I'm bored with this life
- Notify from a known person ;-)
- I like you
- I just need a friend
- I'm a sad girl...
- Re: Msg reply
- Re: Hello
Body: varies
Example
Hi,
(embedded .jpg image here)
I'm a young lady of 20 years old i'd like to find my second part!!!
Further details are in attach.
Cheers, SecretGurl
Attachment:(Two attachments, Possibly a .jpg and .cpl file)
Example
Details
Details
Document
Information
Message
MoreInfo
Readme
NAI has released Super DAT 4353 and later to detect and remove W32/Bagle.z@mm.
Symantec will be releasing definitions dated 4/26/04 to detect and remove beagle.w@MM.
For more Information:
From McAfee.
From Symantec.
From Trend Micro.
This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.