Rich,
Thanks for the heads up.... we saw these coming through our system
around 2pm onward. Another variant that was attempted today was to
rename the attachment to XXX.ZIP+, which also caused most server-based
antivirus programs to just pass the file on (since it couldn't open the
ZIP file to scan it.)
I have a third variation of the text messages other than the two you
mentioned. I've see a few with the following text inside:
"Dear user of Msu.edu,
Our main mailing server will be temporary unavaible for next two
days,
to continue receiving mail in these days you have to configure our
free
auto-forwarding service.
For details see the attached file.
Attached file protected with the password for security reasons.
Password is 63781.
Cheers,
The Msu.edu team http://www.msu.edu"
I expect there may be a few more variants before we're done. If anyone
comes up with a good script or method for keying off server based AV
systems to stop this one, I for one would love to hear about it.
>>> Rich Wiggins <[log in to unmask]> 3/2/2004 5:56:30 PM >>>
A new variant of the Beagle/Bagle e-mail worm is spreading rapidly.
The message encourages the recipient to download a ZIP attachment, and
provides a password for the end user to type. If the user follows the
instructions on a Windows computer, the machine may become infected.
At that time, the infected computer opens a TCP port to listen for
other
commands, as well as other nasty actions. Here is Symantec's
description of the worm's effects:
http:[log in to unmask]
Due to the fact that the worm varies its message each time it is
sent, signature-based anti-virus tools are not effective against
it. This includes desktop anti-virus software as well as the
virus blocker on mail.msu.edu.
At MSU we have seen messages that appear to be from the
Admissions Office as well as from the mail team. These messages
are bogus but are phrased in a way that is much more sophisticated
than prior attempts. (The bogus Admissions message encourages new
students to visit a non-MSU Web address to download a ZIP file to
join a real time chat; the bogus mail team message urges people to
unpack an attached ZIP file to get a tool to remove Trojans.)
We strongly caution users to exercise extreme caution when
following instructions purporting to be from official sources.
Unfortunately, today we sent a legitimate message to currently
enrolled students who had not upgraded to Pilot urging them
to ugprade to mail.msu.edu.
If you have any questions please contact the consulting help
desk at 517-432-6200 or [log in to unmask]
-- Rich Wiggins
Senior Information Technologist
Academic Computing & Network Services
(formerly MSU Computer Laboratory)
John A. Resotko
Head of Systems Administration
MSU - Detroit College of Law
208 Law College Building
East Lansing, MI 48824-1300
email: [log in to unmask]
Phone: 517-432-6836
Fax: 517-432-6861
