W32/Bagle.Q@MM (aka W32/Beagle.O@MM)Symantec Last Updated 3/18/04 11:30AM

Several new variants of the W32/bagle@mm email virus are in the wild. W32/Bagle.q@MM, W32/Bagle.r@MM, W32/Bagle.s@MM, and W32/Bagle.t@MM are all mass-mailing HTML email worms. The email contains HTML code that will propagate when the email is opened. The HTML email uses a Microsoft Internet Explorer vulnerability described in security bulletin MS04-004 to download the worm on port 81 without requiring user intervention/action.

Viewing these emails through autopreview or preview pane will cause the HTML code to run.
Disabling these features in MS Outlook or other email clients is recommended.

From :(the address may be spoofed, using the recipient's domain name and a user name taken from the following list, or another address found on the local system)

• management@
• administration@
• staff@
• noreply@
• support@
• antivirus@
• antispam@

Subject:

• Password: %s
• Pass - %s
• Password - %s
• E-mail account security warning.
• Notify about using the e-mail account.
• Warning about your e-mail account.
• Important notify about your e-mail account.
• Email account utilization warning.
• E-mail technical support message.
• E-mail technical support warning.
• Email report
• Important notify
• Account notify
• E-mail warning
• Notify from e-mail technical support.
• Notify about your e-mail account utilization.
• E-mail account disabling warning.
• Re: Msg reply
• Re: Hello
• Re: Yahoo!
• Re: Thank you!
• Re: Thanks :)
• RE: Text message
• Re: Document
• Incoming message
• Re: Incoming Message
• Re: Incoming Fax
• Hidden message
• Fax Message Received
• Protected message
• RE: Protected message
• Forum notify
• Request response
• Site changes
• Re: Hi
• Encrypted document

Body: (Blank)

Attachment: (NO Attachment)

The virus copies itself into Windows system files upon startup.

Example

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "directs.exe" = C:\WINNT\SYSTEM32\directs.


NAI will be releasing Dat/SuperDat 4340 to detect and remove W32/Bagle.q@MM and variants.

Symantec will release virus definitions 3/24/04 definitions to detect and remove w32.beagle.r@mm and its variants. Definitions will be available through the LiveUpdate feature of Symantec Antivirus.

For more information see:

http://vil.nai.com/vil/content/v_101108.htm from NAI.

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.r@mm.html from Symantec.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.