W32/Bagle@MM Aka W32.Beagle.A@mm (Symantec) Last Updated 1/19/04 11:48AM
CIT has been notified of a new email virus called W32/Bagle@MM aka W32.Beagle.A@mm (Symantec). W32.Beagle.A@mm is a mass-mailing worm with a remote access component. The worm harvests email addresses from .wab, .txt, .htm, and .html files. By using its own SMTP engine, it emails the worm to all found contacts. In addition, it opens and listens on port 6777 and will insert several files and registry keys on the system. Note the presence of the file bbeagle.exe in the WINDOWS SYSTEM directory when the virus executes the standard Windows calculator program CALC.EXE.
When the attachment is run, the virus checks to see if the system date is January 28, 2004 or later. If it is on or after this date, the virus exits.
In email form, W32/Bagle@MM appears as follows:
From:
(address may be forged)
Subject:Hi
The message body is the following:
Test =) (random characters)
--
Test, yep.
Attachment:
(random filename) 15,872 bytes (Icon image of a Calculator)
NAI released Dat/SuperDat 4316 to detect and remove W32/Bagle@MM. The 4316 DAT/SuperDat is now available.
Symantec released 1/18/2004 virus definitions to detect and remove W32.Beagle.A@mm. Definitions are available through the LiveUpdate feature of Symantec Antivirus.
For more information see:
http://vil.nai.com/vil/content/v_100965.htm
from NAI.
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html from Symantec.
This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.
