Antivirus: Virus Archives

Current client downloads:

	VScan Engine/Dat (SuperDat) -5301/4018.5664
	VirusScan Enterprise 8.5i (with Patch 7) - Windows NT/2000/XP/2003
	Virex (OS X) Engine/Def - 7.2(v1.1)/081029
	Virex (OS 9.x) Engine/Def - 6.2/071001
	Linux & Solaris Engine/Dat - 5.2.00/4.0.5196
	Symantec Endpoint Protection 11.0 MR4
	Symantec Antivirus - 10.2
	Clean Boot 1.0
	Stinger v3.8.0 virus removal tool (Updated 09/10/07)

Current server downloads:

	VirusScan Enterprise 8.7i
	VirusScan Enterprise 8.5i
	NetShield NetWare - 4.6.2
	NetShield NetWare - 4.6.3
	NetShield NetWare Engine Update - 4.4.00
	ePO agent for NetWare
	ScanMail eManager - 3.0

	Virex 7.x Installation Instructions
	VirusScan FAQs
	VirusScan Instructions
	Additional Resources

List of Viruses

W32/Bagle.Q@MM (aka W32/Beagle.O@MM)Symantec Last Updated 3/18/04 11:30AM

Several new variants of the W32/bagle@mm email virus are in the wild. W32/Bagle.q@MM, W32/Bagle.r@MM, W32/Bagle.s@MM, and W32/Bagle.t@MM are all mass-mailing HTML email worms. The email contains HTML code that will propagate when the email is opened. The HTML email uses a Microsoft Internet Explorer vulnerability described in security bulletin MS04-004 to download the worm on port 81 without requiring user intervention/action.

Viewing these emails through autopreview or preview pane will cause the HTML code to run.

Disabling these features in MS Outlook or other email clients is recommended.

From :(the address may be spoofed, using the recipient's domain name and a user name taken from the following list, or another address found on the local system)

management@
administration@
staff@
noreply@
support@
antivirus@
antispam@

Subject:

Password: %s
Pass - %s
Password - %s
E-mail account security warning.
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
E-mail technical support message.
E-mail technical support warning.
Email report
Important notify
Account notify
E-mail warning
Notify from e-mail technical support.
Notify about your e-mail account utilization.
E-mail account disabling warning.
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
Re: Incoming Fax
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Request response
Site changes
Re: Hi
Encrypted document

Body: (Blank)

Attachment: (NO Attachment)

The virus copies itself into Windows system files upon startup.

Example

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "directs.exe" = C:\WINNT\SYSTEM32\directs.

NAI will be releasing Dat/SuperDat 4340 to detect and remove W32/Bagle.q@MM and variants.

Symantec will release virus definitions 3/24/04 definitions to detect and remove w32.beagle.r@mm and its variants. Definitions will be available through the LiveUpdate feature of Symantec Antivirus.

For more information see:

http://vil.nai.com/vil/content/v_101108.htm from NAI.

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.r@mm.html from Symantec.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.

Contact NIH Help Desk for assistance:
866-319-4357 (toll free), 301-496-4357 (6-HELP) (local), 301-496-8294 (TDD)
http://ithelpdesk.nih.gov/support
Register for iForgotMyPassWord

Center for Information Technology
National Institutes of Health
Bethesda, Maryland 20892

Questions or Comments | Disclaimers | Privacy Policy

Health and Human Services
Washington, D.C. 20201

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -