W32/Bagle.ah@mm Last Updated 7/19/04 7:00PM

CIT has been notified of a new email virus called W32/Bagle.ah@mm. This is a mass-mailing worm that harvests email addresses from infected machines. Emails are forged to appear to be sent by an address collected from the infected machine.

From: Spoofed email address

Examples of subjects lines are:

• Password: %s
• Pass - %s
• Key - %s
• Re:
• foto3
• fotogalary
• fotoinfo
• Lovely animals
• Animals
• Predators
• The snake
• Screen

Body: is empty

Attachment:(Two attachments, Possibly a .bmp and one of the following file types: EXE, .SCR, .COM, .ZIP, .CPL)

Example

• foto3.exe
• foto2.scr
• foto1.com
• Secret.zip
• Doll.cpl
• Garry.exe
• Cat.scr
• Dog.com
• Fish.zip

The .bmp contains a password to open the attachment if it is a password protected .zip

The worm also propagates through peer to peer networks with open directories that contain the string shar

McAfee (formerly NAI) has released SuperDat 4379 and later to detect and remove W32/Bagle.ah@mm.

Symantec will be releasing definitions dated 4/26/04 and later to detect and remove beagle.w@MM.

For more Information:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=126795 from McAfee.

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ag@mm.html from Symantec.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.