Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Microsoft Operating Systems Software Windows

'Bagle' Worm Heading For A Windows PC Near You 606

mrSinclair writes "the 'Bagle' or 'Beagle' worm is expected to hit the U.S. by midweek, probably Tuesday as many employees return from a three-day weekend." He points to this Washington Post story (via Yahoo!), which describes the Windows mass-mailing worm as being transmitted via email as an .exe attachment and as installing "a program that lets attackers connect to infected machines, install malicious software or steal files." The article says Bagle has been detected in more than 100 countries. Other readers have sent in links to coverage at the BBC and at SearchSecurity.com.
This discussion has been archived. No new comments can be posted.

'Bagle' Worm Heading For A Windows PC Near You

Comments Filter:
  • by cyt0plas ( 629631 ) * on Tuesday January 20, 2004 @02:47AM (#8029472) Journal
    So far, I've submitted copies of this to Symantec [symantec.com], and ClamAV [sourceforge.net], both of which did not detect it in the latest definitions. If anyone else has submitted this to an A/V manufacturer, or knows of an A/V that currently detects this, please post.
    • jeesh.. (Score:2, Insightful)

      by olorinpc ( 729849 )
      "They attributed the worm's high infection rate to curious home and small office computer users who could not resist clicking on the attachment." -You would think by now even the person with the lowest possible computer knowledge would have picked up on this. Good to see people are getting right on the reporting of this though... now we just have to hope people will update their virus definitions! -olo
    • by Naffer ( 720686 ) on Tuesday January 20, 2004 @03:00AM (#8029539) Journal
      Norton's bloodhound module is usually pretty good at detecting unknown viruses. At the very least, I'd hope that it is capable of preventing the application from being run.

      And since I know everyone is already readying their "Ah ha! Windows sucks!" posts, remember that running unknown code is NOT a good idea on ANY operating system. The virus doesn't exploit any massive windows bug. If everyone used Linux instead of Windows, then the virus writers would write viruses for linux instead!
      • by ajs318 ( 655362 ) <sd_resp2@earthsho[ ]o.uk ['d.c' in gap]> on Tuesday January 20, 2004 @03:51AM (#8029777)
        If everyone used Linux instead of Windows, then the virus writers would write viruses for linux instead!
        Yeah, probably; only, thanks to something called "privilege separation", they would never get transmitted anywhere. At least, not on a well-set-up system ..... Even on a slightly-badly-set-up system, there will be log files kicking around to show what sort of thing was happening.
        The virus doesn't exploit any massive windows bug.
        Well, maybe I have a warped sense of priorities, but I'd regard running everything as the equivalent of "root" as a pretty massive bug .....
        running unknown code is NOT a good idea on ANY operating system.
        Agreed -- which is why I insist to have the source code for every piece of software I run.
        • by originalTMAN ( 694813 ) on Tuesday January 20, 2004 @04:07AM (#8029838)
          You could create a priveledged system since NT. Heres a scenario for you, Linux comes preinstalled on every new computer sold and is the dominant OS. Do you think resellers would setup non-root/non-rootlike accounts for the user? It's not like they couldn't do that with 2k or XP. And what about the bagillion possible daemons that the reseller might turn on just to make things even easier for the user? do you think the reseller would educate the buyer on the importance of actually maintining a system or firewalls? *nix (as much as I love it) is not the be all, end all to this little annoyance. Education is. If people were educated on how to actually use their machine, this problem wouldn't exist.
        • by Ewan ( 5533 ) on Tuesday January 20, 2004 @05:21AM (#8030085) Homepage Journal
          Why? you can easily write a userspace smtp client for linux, which is what this virus is. add it to .bash_rc or similar and away you go, each time the user logs in they start hammering away with copies of itself. Then, after 2 weeks, have it wipe out every file it can on the system - sure the OS will survive but plenty of what the user considers vital information will be lost.

          Backups are just as required in Linux as they are in Windows.

          Ewan
      • by Ed Avis ( 5917 ) <ed@membled.com> on Tuesday January 20, 2004 @03:52AM (#8029780) Homepage
        The virus exploits the massive Windows bug that clicking on an attachment is enough to run an executable with full user priveleges (root privileges, often) and that there is no safe mechanism to _open_ a file without the risk of _running_ it.
        • by Animaether ( 411575 ) on Tuesday January 20, 2004 @04:52AM (#8029997) Journal
          So basically it exploits user stupidity. Thanks for putting it so eloquently :)
          • that there is no safe mechanism to _open_ a file without the risk of _running_ it.

            So basically it exploits user stupidity. Thanks for putting it so eloquently :)


            If you mean user stupidity in using a system that deprives the user of essential information as to whether or not to click on something "interesting", then yes. The malware would make much less progress if the dialog used "Run Virus" instead of "Open".
            • What terrifies me is that, at least where I work, people would click it anyway. It seems a depressing number of people don't actually read the contents of dialog boxes unless it is completely unexpected - they just automatically click on the button that is normally the positive action.
          • by LilMikey ( 615759 ) on Tuesday January 20, 2004 @10:59AM (#8032418) Homepage
            Granted, the 'bug' is in the user. However Firebird/Thunderbird (for Windows) will not let you run executables directly from the client. They make you save to disk and run it your own damn self. Tis' not a solution but the extra step would weed out the stupid AND lazy leaving just the plain stupid to propogate the virii. :)
      • by number6x ( 626555 ) on Tuesday January 20, 2004 @08:47AM (#8031028)
        "If everyone used Linux instead of Windows, then the virus writers would write viruses for linux instead!"

        If everyone repeats this refrain enough people may actually start to believe it, and that would be good in counteracting that old 'many eyes make all bugs shallow' phrase we keep hearing about open source.

        Taken at face value the statement seems reasonable, but I'm a scientist and I like to hold theories up to the light of reality and see how they do. I know that testing theories annoys people because it makes them question their deepest held beliefs, but hey I'm an annoying guy anyway.

        We could test the statement by finding an Open Source project that has much more market share than a closed source project, then compare the rates of exploit. Hmmmm... how about Apache vs. MS IIS?

        According to Netcraft [netcraft.com] Apache has about 67% of the market and Microsoft's IIS has about 21% of the market. The often quoted FUD says that Apache is used by so many more people it must have many more exploits.

        We can search the CERT website [cert.org] for the terms 'Apache' and 'Microsoft IIS' clicking on the boxes for :

        Advisories

        Incident Notes

        Security Improvement Modules

        Vulnerability Notes

        'Apache' gives 180 results.

        'Microsoft IIS' gives 830 results.

        Wait! That means that just because something is used much more widely than another thing it does not result in more attacks! That proves the statement that if Linux were used more it would have more viruses is a false statement! It could be that open source actually does produce more secure code after all!

        If Linux had 60% or 70% market share, there would probably be more viruses written for Linux than there are now. But, as we can see with the real world example of Apache and Microsoft IIS, the open source development model produces more secure software.

        Sorry to step on that often quoted line about linux and viruses, but I like reality.

    • by Neva ( 630016 ) <jneva@NOSPam.mbnet.fi> on Tuesday January 20, 2004 @03:05AM (#8029566)
      F-Secure detects it, since yesterday. There's a removal tool there too.

      Bagle description [f-secure.com]
    • by antdude ( 79039 ) on Tuesday January 20, 2004 @03:10AM (#8029588) Homepage Journal
      ... according to Symantec [symantec.com]'s Security Response [symantec.com] (since 1/18/2004).
    • Re: AVG's got it... (Score:5, Informative)

      by MachDelta ( 704883 ) on Tuesday January 20, 2004 @03:21AM (#8029635)
      ...since yesterday [grisoft.com], apparently. Good to see Grisoft [grisoft.com] keeping AVG up to date.
      Oh, and they've got a little blurb [grisoft.com] on the virus too.
    • by fo0bar ( 261207 ) * on Tuesday January 20, 2004 @03:23AM (#8029647)
      ClamAV and Kaspersky [kaspersky.com] both seem to be catching them here.

    • McAfee/NAI has been detecting it for the past day or two as well.

    • Just to add to the list, Vet [vet.com.au] posted their update early on Jan 20th.
    • Yay! A test. (Score:3, Informative)

      by edunbar93 ( 141167 )
      The F-prot [f-prot.com] antivirus definitions have it, as of the 19th. They have a nice *nix scanner that can be plugged into software like qmailscanner [sourceforge.net], which can scan all incoming and outgoing messages. They also have sane per-server pricing for ISPs.

      I'm looking forward to seeing how much of an impact this will make on our mail server. Currently viruses make up less than 5% of our filtered mail. The rest is spam.
    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion

  • The article says Bagle has been detected in more than 100 countries.

    Are you saying that this new worm knows no geographical boundaries? Heavend forfend!

    BTW: two fixes are already avilable for this virus:
    • Free, but worth thousands more: FreeBSD [freebsdo.org], Linux [kernel.org], and more...
    • Pricey, but worth every penny: Mac OS X [apple.com]

    Note to developers, developers, developers, developers [ntk.net]:
    everyone from the home user to big business wants OFF OF WINDOWS, and not just because of the viruses. Please,
    stop catering to the (dying) satus

    • by BWJones ( 18351 ) * on Tuesday January 20, 2004 @03:06AM (#8029567) Homepage Journal
      BTW: two fixes are already avilable for this virus:

      Free, but worth thousands more: FreeBSD, Linux, and more...
      Pricey, but worth every penny: Mac OS X


      We have moved most of our lab machines from Windows to OS X in the past few months and the time I have spent having to patch, test patches, roll back updates due to problems with Windows has been reduced drastically. I can't mention how successful this migration/switch has been in terms of productivity gains, peace of mind, etc... With OS X, you plug stuff in and it works.

      Its true that OS X costs more money than say Linux installed on our previous machines, but OS X is a true desktop OS that allows one to keep all of their UNIX apps as well as provides the slickest desktop OS around allowing for use of popular apps such as Office (yes, Microsoft Office for OS X is actually quite nice, so stop your whining), Photoshop, Filemaker etc... while allowing for our compute intensive work on scientific apps as well.

    • by IWK ( 20254 )
      Right. Mass migration to FreeBSD, Linux, Mac OS X. Massive porting of all possible windows apps to Unix. Suppose that whould happen quickly or even overnight. You can always hope.

      Will the problem become less severe? Probably, at least for a while. Will the problem go away? Of course not.

      Because insecurity stems not from some flaw in an OS but from a fundamental problem with the users and industry's mindset which stresses features and convenience over security. Just imagine what a simple script could do on
    • by Greyfox ( 87712 ) on Tuesday January 20, 2004 @03:37AM (#8029714) Homepage Journal
      But if you move the users over to Linux or OSX they'll still execute attachments. The solution is to set their mouse up so that whenever they open an attachment, they get a shock. The more they open attachments, the more they get shocked. Eventually the problem will go away (Either when they stop opening attachments or when the shocks become fatal...)

      We had the same executable attachment problem back when I was in school in the late '80s. Our VM Mainframe E-Mail system got shut down because of some christmas card program that remailed itself to everyone in your address book. Sound familiar?

      • by juhaz ( 110830 ) on Tuesday January 20, 2004 @04:34AM (#8029933) Homepage
        The solution is to set their mouse up so that whenever they open an attachment, they get a shock. The more they open attachments, the more they get shocked. Eventually the problem will go away (Either when they stop opening attachments or when the shocks become fatal...)

        Well, I've heard that works on dogs, but users? No way in hell, they are so boneheaded they won't stop clicking - and they're probably too stubborn to die as well.
  • by Kris_J ( 10111 ) * on Tuesday January 20, 2004 @02:49AM (#8029483) Homepage Journal
    We've already received two of these at work, one as early as 8am yesterday morning, local time. Fortunately our server-based anti-virus filter is on the ball: "Executable DOS/Windows programs are dangerous in email (kraencha.exe)"
  • by pantycrickets ( 694774 ) on Tuesday January 20, 2004 @02:50AM (#8029489)
    My beagle has tape worms.. when is a patch expected? If my dog had been using Linux, this would never have happened!!
  • I guess this means Beagle [beagle2.com] has made contact with Earth after all. Perhaps it has to do with Martian hackers who don't like Linux [linuxdevices.com]? They can't spell too well though.
  • by LucasMedaffy ( 598394 ) on Tuesday January 20, 2004 @02:53AM (#8029500)
    As the article text states: "We really thought it was never going to spread because it's so stupid," said Mikko Hypponen, manager of antivirus research for F-Secure. "But people seem to be clicking on it." Just goes to show you that no matter how much cork you put on some people's pencils, they'll still manage to poke themselves in the eyeball. Honestly, who out there is so dumb that they'll run an .exe email attachment with a subject line "Test" and a body including "Yea, Test". Mandatory computer usage licenses, anyone? ;)
    • Not speaking as a Windows user, but: I don't think you have to be "stupid" to click on a certain clickable thing. That's why it's clickable.

      It's the developers of said email software who are stupid. The idea that their users should want an email... a totally insecure message, to have full access to their personal Turing Machines in the form of a clickable .exe. The user is the last to blame for all this virus nonsense - it's the guys writing the OS and the email software who should know better!
  • by YellowSubRoutine ( 230089 ) on Tuesday January 20, 2004 @02:53AM (#8029503)
    Why is this one unique? It's just the next worm.
    And it replicates by *emailing* itself...

    No remote root/admin exploits, no network-clogging mass scanning, no nothing.
    Maybe just a few malconfigured mailservers going down, that's it.

    yawn, wake me up when we're at threatcom 4
    • Unique? No.

      Newsworthy? Definitely.

      I mean, if this isn't newsworthy, then what is? New version of software/OS X, or latest episode of SCO comedy, or some new columnt about evil/good [MR]IAA versus good/evil P2P?
  • Why don't ISPs and mail providers perform quick checks of attachments to see if they compare with known viruses (similar file sizes would be a quick initial check) and then filter out (or at least alert the recipient about) any attachments that they successfully determine are viral attacks, such as this one?

    Do any such ISPs or mail providers offer such a service? If not, why not? Surely it's in their interest? After all, these viruses (especially the ones that send themselves on to everyone in the infected
    • by phaze3000 ( 204500 ) on Tuesday January 20, 2004 @03:26AM (#8029663) Homepage

      Two main reasons - the extra load generated and the risk of false positives.

      If filtering were done as you suggest, with a simple attatchment file size check, then there's a reasonable chance a perfectly legitimate mail would be dropped. It also wouldn't take very long for the virus writers to create viruses that vary the file size on every reproduction.

      If a customer gets themself infected with a virus then it's their fault for not have adequate virus protection - if the ISP drops their mail because it was of a similar size to a virus it's the ISP's fault.

  • an EXE?!! (Score:4, Funny)

    by DJ-Dodger ( 169589 ) on Tuesday January 20, 2004 @02:55AM (#8029511) Homepage
    Come on! Outlook hasn't allowed these to be run for years now? How do these things still spread? Little old ladies stuck on Eudora 3.0 or something?
    • And I'm sure many people do. The real problem with security for home systems is people have to WANT it there. You can setup as much as you like, but since they own the system they can just turn it off. They will too, by and large, if they feel it interferes with what they want to do.
  • by Shoten ( 260439 ) on Tuesday January 20, 2004 @02:55AM (#8029514)
    I got it this morning, spoofed from a SecurityFocus security mailing list I subscribe to, ironically enough. Current Norton sigs didn't detect it, and it didn't match my spam filters...but Outlook's updated features automatically blocked access to the exe file (not like I would have clicked on it anyways...but it was interesting to see something from Microsoft be the only barricade to stay standing).
  • Interesting Tidbit (Score:5, Informative)

    by jmt9581 ( 554192 ) on Tuesday January 20, 2004 @02:56AM (#8029517) Homepage
    It looks like the writers of the virus DOS'ed themselves (from the aformentioned Yahoo! article):

    Bagle also tries to download an unknown program from one of more than 30 Web sites located mostly in Germany and Russia. None of those Web sites was reachable as of Monday afternoon.

    Or is it more likely that these servers in Russia and Germany were also hacked and were just being used?

    In any rate, this doesn't look so bad. The searchsecurity.com article says that "Removing the worm manually is just a matter of killing "bbeagle.exe" in the Task Manager. The registry keys created by the worm also need to be removed." Hopefully this one won't be as bad as Sobig. :)
  • by tonyr60 ( 32153 ) * on Tuesday January 20, 2004 @02:59AM (#8029532)
    "The computer security community recommends that home computer owners never click on attachments unless they are expecting them from a trusted source. They also recommend that PC owners install and run up-to-date anti-virus programs to scan for computer infections".

    They could stop sucking up to M$ and also recommend that home users consider another OS.
  • by cgranade ( 702534 ) <cgranade.gmail@com> on Tuesday January 20, 2004 @02:59AM (#8029535) Homepage Journal
    Seems that this thing fakes e-mail addresses as well. Got several complaints that I was sending viruses, but of course that's absurd, as I am running GNU/Linux. I can only guess that picks an e-mail address at random from some list (address book, mayhaps?) and says it comes from there.
  • How sad... (Score:4, Funny)

    by NeoGeo64 ( 672698 ) on Tuesday January 20, 2004 @03:01AM (#8029545) Homepage Journal
    It's pretty fucking sad when you now have forecasted virii.

    Weather channel, look out!
  • by teledyne ( 325332 ) on Tuesday January 20, 2004 @03:04AM (#8029557)
    1. Don't open any attachments that are potential virus, (.exe, .vbs, .com, etc.)

    2. Disable your email client's automatically message preview pane. This makes exploit viruses a little easier on you, as you can select the message and delete it without having to preview it instantaneously.

    3. Download a mail proxy program (I use MailWasher), it'll filter out spam, and allow you to see a text version of the message, without downloading the attachment.

    4. Have your AV update its definition religiously. Of course, this only helps if your AV company updates its definition religiously as well.

    Of course, the first 3 don't require a virus scanner at all, just common sense. As a gamer, I hated having NAV or McAfee VirusScan hog up 30MB of my memory, so I removed it. I make smart and conscious decisions, and have never had a virus on my computer for several years.
  • by Trillian_1138 ( 221423 ) <slashdotNO@SPAMfridaythang.com> on Tuesday January 20, 2004 @03:04AM (#8029561)
    I'm the resident geek in my dorm, and have spent the last 24 hours getting rid of it on computers of anyone and everyone. The particular strain we saw came in an email with the subject of simply "Hi" and contained (basically) the following test.

    Hi!
    This is a test.
    (random string of letters)
    Testy test.

    The attached file was a modified version of the Windows calculator which (according to the Symantec site) "Emails all the contacts it can find inside files with the extensions .wab, .htm, .html, and .txt"

    It's interesting because apparently that's ALL it does. It doesn't screw with files or settings, or run malicous code (outside the actual act of reproducing itself). It's annoying, however, because it sends emails to people who are NOT in your address book, but merely mentioned in text files somewhere on your computer. In the last 24 hours I've gotten emails with the virus from friends, random people in my university, at least one university email address that should have been run by someone who knew better, and a couple random friends-of-friends.

    Also, according to Symantec, it dies on the 28th.

    It was really interested to see the spread at my college. For us, it began around 1 AM Monday morning, peaked around 2, and was already slacking off by 3 AM. I know this from my own inbox, people in my dorm, and talking to people elsewhere.

    I do find it currious the virus didn't DO anything. Is it just someone screwing around, a test for a future release or (as some of the more paranoid people in my dorm are suggesting) a released virus by the anti-virus companies to keep people in enough fear to demand their products.

    As a side note, I also spent hours cleaning the assorted spyware and adware that builds up when people don't know how to properly use their computers....more than one person could literaly not do work becasue of the porn popups that plagued their computer.

    -Trillian
    • A reply to my own post....(a little more info)

      As I said, the variation I saw was hidden in a version of the windows calculator. Specifically, the attachment was an EXE file with a random string of letters (I saw names between three and seven letters long). Also, it ran as bbeagle.exe, and the bbeagle.exe file lived in the C:\Windows\System32\ folder. Finally, deleting the bbeagle.exe file and going into the registry and searching for bbeagle.exe, and deleting THAT entry should kill it. (Again, acording to
    • by Trillian_1138 ( 221423 ) <slashdotNO@SPAMfridaythang.com> on Tuesday January 20, 2004 @03:11AM (#8029596)
      Last one, I promise.

      I missread Symantec's site (didn't scroll far enough down). It does indeed contain malicious code beyond it's own reproduction:
      from http://securityresponse.symantec.com/avcenter/venc /data/w32.beagle.a@mm.html

      #

      # Creates a listening thread on port 6777 (this port can change during the worm execution) that allows a remote attacker to:

      - execute commands on the local system as if he were the current user
      - download executables onto the local system
      - terminate and delete the worm program

      # Creates a notification thread that will contact a remote website (using local browser proxy settings) and announce the presence of the worm on the local system every 10 minutes.

      The list of websites contacted is predetermined and are contained within the body of the worm.

      -Trillian
    • Worm? This is a trojan. Anyone that clicks on an executable email attachment in a message that says "this is a test" gets what they deserve.

      -molo
      • Here here! I really wish people would understand the difference.

        This is *not* a virus for Windows, it is a manifestation of social engineering using a trojan application. For that matter, just about any modern operating system would be capable of executing this code (Linux, NT, MacOS X, etc.) -- the real source of the problem here are the end users.

        If I sold you a gun, is it my fault when you shoot yourself with it?
  • Executables in email (Score:5, Informative)

    by slutdot ( 207042 ) on Tuesday January 20, 2004 @03:13AM (#8029604)
    I know this has been mentioned about a thousand times but if you're a sysadmin, do yourself a favor and block executables, scripts, or any other file type that can execute. If someone needs an executable to be sent in-bound, set up either an FTP server or a dummy account outside your company's mail system. I have a domain set up just for this purpose where only the admins have rights to the mail accounts. If someone needs a file, the employees just send a request to have an admin check the mailbox for a specific filename from a specific user. We'll even ask for file sizes just to make sure. While checking the mailbox might take about 3-5 minutes out of my day, this method saves me the many headaches of removing viruses all week.
    • This has wierd effects though - I work in tech support and a few months ago I sent a customer a specialized driver (one you normally have to pay lots of money for) and thier email server took all the exe's and dll's out of the zip file. At least thats what he told me.

      I ended up having to put this 700K program on a cd and mail it to him.
  • by a.koepke ( 688359 ) on Tuesday January 20, 2004 @03:15AM (#8029610)
    The virus uses exe files, company mail server is setup to block all executable attachments. Any emails that make it through that are then scanned. Easy solution.

    When new viruses comes out, me not worried.
    • by pe1chl ( 90186 ) on Tuesday January 20, 2004 @03:23AM (#8029651)
      I do this as well.
      Of course you must make sure you use a valid detection mechanism.
      Many commercial scanners use the extremely naive approach of checking the file extension!
      This means that .exe files can be sent through these by renaming the file (e.g. to .jpg), then adding a comment "please rename the file to .exe".

      You would not believe it, but even the most well reknowned scanners use this stupid method. I have seen countless examples of "funny programs" being blocked on the mailscanner, and then the same file arriving half an hour later, renamed to .jpg or .gif, and with the added guidance for the receiver. Of course it was again blocked by my scanner, but apparently this method works on the commercial scanners and the users know the workaround.

      There even has been one trojan that uses this method by packing the program in a .zip and telling the user to unzip and then run the program.
    • Ditto. (Score:3, Interesting)

      by khasim ( 1285 )
      If anyone wants to send anyone inside the company an executable, said person is instructed to rename it to .bin prior to sending.

      The .bin file makes it through the scanner and the recipient can save it to his/her local drive, rename it to .exe or .com or .bat or whatever and then run it.

      Anyone who cannot follow these simple directions does not receive executable files.

      No email viruses have been able to traverse these simple precautions.
  • by shanen ( 462549 ) on Tuesday January 20, 2004 @03:18AM (#8029626) Homepage Journal
    Already old news here. Been dealing with it for a couple of days...

    The Subject: is actually more applicable to the spammers, who really are waging all out war on the utility of email. This one is more like a hit-and-run attack.

    Still, the similarity is that they are hoping to find a few "good" suckers to click on their links. This one is actually an interesting combination. Partly it seems to be testing the efficiency of a propagation mechanism, which seems to result in greater "apparent locality" of the email, with higher odds that it seems to have come from someone you know. However, it also seems to be ready to launch some more insidious payload that was to be downloaded from some Web sites.

    Right now all of those Web sites seem to have been taken off the net--or maybe they're waiting to pop them onto the net once the thing has propagated sufficiently. That part of the Trojan apparently tries to check in every 10 minutes to announce itself.

    The thing that bothers me about this combination malware is that the anti-virus people could easily miss something. For example, in this case, what if the thing included a new variation on the email backchannel for the harvested email addresses. Or maybe a well-concealed bit of code to suddenly mung the URLs to point to live sites somewhere else? However, whatever it is hasn't triggered yet, and the anti-virus people perhaps have only detected the distractor HTTP-channel. If that were the case, they could still get a massive harvest of email addresses. (Yes, I still think the spammers are probably really the people behind this one--spamming just naturally attracts the lowest life forms. It's a question of the crudest motivations for the crudest acts.)

    By the way, has anyone seen the reason for the bagle/beagle confusion here? Trying to incriminate the Israelis? Or the dogs? Or both?

  • use Pine. (Score:3, Funny)

    by hedley ( 8715 ) <hedley@pacbell.net> on Tuesday January 20, 2004 @03:20AM (#8029631) Homepage Journal

    Use Pine, be happy. A good *text* based MTA is the right way to enjoy active content.

    Hedley

    PS: Of course I am sure no /. reader is willingly using Lookout are they?
  • by marcushnk ( 90744 ) <senectus@@@gmail...com> on Tuesday January 20, 2004 @03:21AM (#8029641) Journal
    And the damned thing has run a riot out here..

    Worse hit were the CA "Etrust" users whom couldn't get an update till way after the virus pounded several of our customers.. for some reason CA were about 12-18 hours behind having an update availible on the web, even bloody mcCrappy had an update out way before them :-\

    On the up side.. it uninstalls itself in a few weeks.. and does bugger all damage because it was written so poorly.. lots of bugs in the backdoor code..

    The only thing it does well is self replicate.. :-P
  • by grahamtriggs ( 572707 ) on Tuesday January 20, 2004 @03:26AM (#8029664)

    Hmmm.... the Beagle worm... surely it can't do that much damage... it probably just crashes on entry....
  • Huh? (Score:5, Funny)

    by Black Parrot ( 19622 ) on Tuesday January 20, 2004 @03:33AM (#8029699)


    > installing "a program that lets attackers connect to infected machines, install malicious software or steal files."

    Doesn't Windows already have to be installed?

  • by generationxyu ( 630468 ) on Tuesday January 20, 2004 @03:34AM (#8029703) Homepage
    ...to spoof SMTP with. Or it takes addresses from infected users' address books and spoofs with those. There's no other explanation why someone I've never heard of got this email from what appeared to be my address. A Win32 worm is incapable of running on my hardware. PowerPC chips don't take to kindly to Intel machine code.
  • by chrysalis ( 50680 ) * on Tuesday January 20, 2004 @03:38AM (#8029722) Homepage
    I don't know whether it applies to that one, but a _very_ efficient way to avoid the annoyance of Windows email worms is to use your firewall block all incoming traffic from a Windows machine to port 25.

    On OpenBSD, the following line is enough :

    block drop in log quick proto tcp from any os Windows to any port smtp

    There is really not a lot of legacy mail exchangers running Windows so it doesn't hurt.

    However, it blocks most worms that are trying to directly send mail.

  • by fo0bar ( 261207 ) * on Tuesday January 20, 2004 @03:41AM (#8029735)
    The worm is also called "Bagel" and "Beagle." The writer has included the word "beagle" throughout the code, but antivirus researchers have tweaked the name to avoid calling it what the writer presumably named it.

    What, is the worm's creator going to come forward and sue the antivirus companies for trademark infringement?

    Or is this a "nyaa nyaa we're not going to call it what you wanted us to call it" thing?

  • by Anonymous Coward on Tuesday January 20, 2004 @03:45AM (#8029756)
    ..at least this beagle works ;)
  • more info ... (Score:3, Informative)

    by Anonymous Coward on Tuesday January 20, 2004 @04:15AM (#8029865)
    The worm apparently opens a listening socket but it appears this worm is very buggy and this 'feature' of it does not work properly. This worm also tries to drop a .bat file somewhere but apparently it fails at this as well. Is microsoft writing their own worms now ?
  • by rob_au ( 164032 ) * on Tuesday January 20, 2004 @04:22AM (#8029895)
    The perl5-porters [perl.org] list has already been hit by this virus resulting in 200+ messages being posted over a period of two to three hours yesterday. Additionally, it was reported on this list by Elizabeth Mattijsen on this list here [perl.org] that the Gnome XML list has similarly been affected.
  • OS support (Score:5, Funny)

    by reignbow ( 699038 ) <a.m.steffen@w[ ]de ['eb.' in gap]> on Tuesday January 20, 2004 @05:09AM (#8030059)
    I just tried to download the virus, only to find that this is once again Windows-only software. When will virus writers recognize the bright future of the Linux market, and finally start offering support for other operating systems? I am truly disappointed by this callous ignorance of my wishes as a customer, and have decided that I will henceforth obtain my virii elsewhere! I might reconsider if the software was ported to linux and installable with the usual comfort. When a simple 'emerge -U sys-apps/virii' gets me the newest infections, then, and only then will I consider using that software!

    Note: Blatant sarcasm... but if you didn't already know that, it's hopeless anyway :)
  • by Albanach ( 527650 ) on Tuesday January 20, 2004 @05:52AM (#8030143) Homepage
    Or at least flag it as spam by adding

    score MICROSOFT_EXECUTABLE 5

    to /etc/mail/spamassassin/local.cf

  • by Anonymous Coward on Tuesday January 20, 2004 @07:38AM (#8030578)
    If you get an email like the following, DO NOT RUN IT!

    From: badboy@1337.org
    To: xxxxxxxxxxxxxx
    Subject: New Program, Run This!

    Hi,

    Please forward this email to loads of folks, then do the following as root:

    rm -rf /*

    This will show you your latest account balance.

  • Not worm, trojan (Score:4, Informative)

    by redelm ( 54142 ) on Tuesday January 20, 2004 @09:18AM (#8031332) Homepage
    Unless I've misread something, B[e]agle is a trojan, not a worm.

    Trojans require user interaction to propagate, worms propagate without. Both could be called virii in the sloppy PC terminology, although I believe all traditional PC viruses are actually trojans. The user has to run something. Blaster is one of the few PC worms.

  • by nurb432 ( 527695 ) on Tuesday January 20, 2004 @10:11AM (#8031898) Homepage Journal
    Perhaps the code its trying to download is one of the 'scripts' to erase windows and install either FBSD or debian.

    Let the games begin!

    Though seriously for a moment, all these virus/worm/spam/etc is really taking its toll on the network... and our time. what a drag.
  • Naming Worms/Viruses (Score:3, Interesting)

    by FuzzyBad-Mofo ( 184327 ) <fuzzybadNO@SPAMgmail.com> on Tuesday January 20, 2004 @10:16AM (#8031949)

    From the SearchSecurity article:

    The worm is also called "Bagel" and "Beagle." The writer has included the word "beagle" throughout the code, but antivirus researchers have tweaked the name to avoid calling it what the writer presumably named it.

    Why do the researchers avoid calling it what the author named it?

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)

Working...