March 2004

New Virus Threat
Posted Wednesday, March 3, 2004 by jeremy
Yet another virus was recently released that "spoofs" the email address so that it appears to be coming from someone you know. This latest virus could appear to be coming from a system administrator at BRCN. If you receive this email you should NOT open any attachments.

It is worth noting that not all viruses require you to open attachments. Even those that do can appear to be coming from someone you know. The ONLY way to keep from getting these viruses is to have antivirus software installed on your system. You must also update this antivirus software on a DAILY basis.

Antivirus software can be purchased at most stores, including Wal-Mart and OfficeMax, or downloaded from the Internet. Here are a couple of links:

http://www.symantec.com

http://www.grisoft.com

Jeremy Porter, President
Big River Community Network



Here are more details on this most recent virus:

Names:
W32.Beagle.K
W32.Beagle.K@mm
Win32.Bagle.K
WORM_BAGLE.K
W32/Bagle.k@MM

Distribution
This is an Internet worm that propagates via e-mail using its own Simple Mail Transfer Protocol (SMTP) engine. Beagle.K also attempts to spread through file-sharing networks (such as Kazaa) by dropping itself into folders that contain "shar" in their names.

Directly Affected Software Versions
Windows 2000
Windows 95
Windows 98
Windows Me
Windows NT
Windows Server 2003
Windows XP

Technical Details
The worm has the following characteristics:

When executed it will attempt to end the following processes (responsible for updating signatures for various anti-virus programs):
Atupdater.exe
Aupdate.exe
Autodown.exe
Autotrace.exe
Autoupdate.exe
Avltmain.exe
Avpupd.exe
Avwupd32.exe
Avxquar.exe
Cfiaudit.exe
Drwebupw.exe
Icssuppnt.exe
Icsupp95.exe
Luall.exe
Mcupdate.exe
Nupgrade.exe
Outpost.exe
Update.exe

Beagle.K will scan files on the local hard drive and collect e-mail addresses from the following file types:
.wab
.txt
.msg
.htm
.xml
.dbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.adb
.tbb
.sht
.uin
.cgi

Using its own SMTP engine, Beagle.K will send e-mail to the addresses found. The From address will be spoofed to appear to come from one of the following addresses at the recipient's domain:
-Administration
-Management
-Support
-Staff
-Noreply

Subject: (One of the following)
-E-mail account disabling warning.
-E-mail account security warning.
-Email account utilization warning.
-Important notify about your e-mail account.
-Notify about using the e-mail account.
-Notify about your e-mail account utilization.
-Warning about your e-mail account.

Salutation: (One of the following)
-Dear user of ,
-Dear user of gateway e-mail server, -Dear user of e-mail server "", -Hello user of e-mail server, -Dear user of "" mailing system, -Dear user, the management of mailing system wants to let you know that,

Body: (One of the following)
-Your e-mail account has been temporary disabled because of unauthorized access.
-Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.
-Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
-We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
-Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
-Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.

Followed by:
-For more information see the attached file.
-Further details can be obtained from attached file.
-Advanced details can be found in attached file.
-For details see the attach.
-For details see the attached file.
-For further details see the attach.
-Please, read the attach for further details.
-Pay attention on attached file.

Followed by:
The team

Closing:
-The Management,
-Sincerely,
-Best wishes,
-Have a good day,
-Cheers,
-Kind regards,

Filename: (One of the following)
-Attach
-Information
-Readme
-Document
-Info
-TextDocument
-TextFile
-MoreInfo
-Message

The attachment will have a .zip or .pif extension. The .zip file is password protected and contains a randomly named .exe file. The password is a 5-digit, random number that will be included in the message.

What Members Should Do
1. Update your current anti-virus solution.
2. Remove any infected system from the network until it is disinfected using your current anti-virus solution. Removing the infected computer from the network minimizes the impact on others.
3. If your anti-virus vendor does not yet remove W32.Beagle.K, you may wish to explore Symantec's removal tool.
(http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.r
emoval.tool.html)
4. Here are anti-virus best practices:
-Running a current anti-virus program on every workstation.
-Not executing attachments from unknown persons.
-Not executing attachments, even from known users, unless you are expecting one or have verified there should be one.
-Checking both your operating system and anti-virus vendors websites for updates on a regular basis (at least once a week is highly recommended).