Computer Virus Alert

amar · January 27, 2005, 12:42pm

Dear Trend Micro customer,

As of January 27, 2005 1:42 AM PST (Pacific Standard Time/GMT -8:00),
TrendLabs has declared a Medium Risk Virus Alert to control the spread
of WORM_BAGLE.AZ. TrendLabs has received several infection reports
indicating that this malware is spreading in US, China, and Japan.

This WORM_BAGLE variant arrives on a system as an email attachment. It
sends copies of itself to all email addresses it gathers from files
with certain extensions but skips those addresses that contain particular
strings.

===============================
Users must be wary of the email it sends that have the following
details:

Subject: (any of the following)
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help

Message body: (any of the following)
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help

Attachments: (any of the following file names)
guupd02.exe
Jol03.exe
siupd02.exe
upd02.exe
viupd02.exe
wsd01.exe
zupd02.exe

(with any of the following extensions)
COM
CPL
EXE
SCR

The email is spoofed and may appear to have come from a familiar email
address. As a general rule, users should avoid opening the attachments
of unsolicited email.

This worm drops a copy of itself using the following file names into
the Windows system folder:

sysformat.exe
sysformat.exeopen
sysformat.exeopenopen
It also looks for folders that have the string shar then drops copies
of itself using file names with EXE extensions into those folders.

In addition, this worm terminates several processes, most of which are
related to antivirus and security programs.

TrendLabs has uploaded the following:

TMCM Outbreak Prevention Policy 140
Official Pattern Release 2.375.00
Damage Cleanup Template 495

For more information on WORM_BAGLE.AZ, you can visit our Web site at:

Contact av_query@support.trendmicro.com for inquiries and to report
infections in your region.

Joseph_E_Smith · January 27, 2005, 12:44pm

Thanks for the heads up Amar!

peeplj · January 27, 2005, 1:02pm

I had one of these arrive in my inbox, it made it past Norton AV, so do be careful.

–James

Jack · January 28, 2005, 1:40am

I don’t understand it.

Jerry_Freeman · January 28, 2005, 2:36am

Thanks for the tip, Amar. (Why don’t you change the title to something like, “Computer Virus Alert …” so people will know it’s important.)

I went to Symantec’s website, and it appears that this virus is now in their current virus definitions, so I did a live update.
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ba@mm.html

Again, thanks for the tip.

Best wishes,
Jerry

Unseen122 · January 28, 2005, 3:16am

Thanks for the warning. I never open this stuff but now I have a reason to be careful.

feadogin · January 28, 2005, 4:46pm

I got two emails with this virus this morning so watch out, all! (Don’t worry, I did not open them).

Justine

Guitar_Kat · January 28, 2005, 9:51pm

Nothing in Canada yet. I’ll keep you posted.

But, those worms sound really deadly… playing with your system files, etc.

Topic		Replies	Views
OT: VIRUS ALERT Whistle	12	1227	January 22, 2004
caution, virus, dale somehow involved Whistle	19	3497	March 5, 2004
VIRUS ALERT Whistle	4	775	October 20, 2002
Possible virus Whistle	10	740	January 6, 2003
new virus Whistle	13	2281	July 28, 2004
Possible email virus Poststructural Pub	1	474	April 20, 2008
SPAM SCAM Warning.... AV360 Poststructural Pub	2	381	March 13, 2009
Virus trouble - not OT Whistle	9	689	September 16, 2002

Computer Virus Alert

(with any of the following extensions) COM CPL EXE SCR

Related topics

(with any of the following extensions)
COM
CPL
EXE
SCR