Slashdot Mirror
'Bagle' Worm Heading For A Windows PC Near You
mrSinclair writes "the 'Bagle' or 'Beagle' worm is expected to hit the U.S. by midweek, probably Tuesday as many employees return from a three-day weekend." He points to this Washington Post story (via Yahoo!), which describes the Windows mass-mailing worm as being transmitted via email as an .exe attachment and as installing "a program that lets attackers connect to infected machines, install malicious software or steal files." The article says Bagle has been detected in more than 100 countries. Other readers have sent in links to coverage at the BBC and at SearchSecurity.com.
Norton's bloodhound module is usually pretty good at detecting unknown viruses. At the very least, I'd hope that it is capable of preventing the application from being run.
And since I know everyone is already readying their "Ah ha! Windows sucks!" posts, remember that running unknown code is NOT a good idea on ANY operating system. The virus doesn't exploit any massive windows bug. If everyone used Linux instead of Windows, then the virus writers would write viruses for linux instead!
BTW: two fixes are already avilable for this virus:
Free, but worth thousands more: FreeBSD, Linux, and more...
Pricey, but worth every penny: Mac OS X
We have moved most of our lab machines from Windows to OS X in the past few months and the time I have spent having to patch, test patches, roll back updates due to problems with Windows has been reduced drastically. I can't mention how successful this migration/switch has been in terms of productivity gains, peace of mind, etc... With OS X, you plug stuff in and it works.
Its true that OS X costs more money than say Linux installed on our previous machines, but OS X is a true desktop OS that allows one to keep all of their UNIX apps as well as provides the slickest desktop OS around allowing for use of popular apps such as Office (yes, Microsoft Office for OS X is actually quite nice, so stop your whining), Photoshop, Filemaker etc... while allowing for our compute intensive work on scientific apps as well.
Visit Jonesblog and say hello.
And the damned thing has run a riot out here..
:-\
:-P
Worse hit were the CA "Etrust" users whom couldn't get an update till way after the virus pounded several of our customers.. for some reason CA were about 12-18 hours behind having an update availible on the web, even bloody mcCrappy had an update out way before them
On the up side.. it uninstalls itself in a few weeks.. and does bugger all damage because it was written so poorly.. lots of bugs in the backdoor code..
The only thing it does well is self replicate..
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
...to spoof SMTP with. Or it takes addresses from infected users' address books and spoofs with those. There's no other explanation why someone I've never heard of got this email from what appeared to be my address. A Win32 worm is incapable of running on my hardware. PowerPC chips don't take to kindly to Intel machine code.
I mod down pyramid schemes in sigs.
If anyone wants to send anyone inside the company an executable, said person is instructed to rename it to .bin prior to sending.
.bin file makes it through the scanner and the recipient can save it to his/her local drive, rename it to .exe or .com or .bat or whatever and then run it.
The
Anyone who cannot follow these simple directions does not receive executable files.
No email viruses have been able to traverse these simple precautions.
It's astonishing that so many people managing emails gateways have not yet implemented a systematic bounce of emails containing risky attachments !
.zip who are then handled by the antivirus).
/etc/postfix/body_checks /^(.*)name\=\"(.*)\.(lnk|css|wsh|sct|shs|scf|inf|m si|msp|cab|reg|hta|com|pif|vbs|vbe|js|jse|bat|cmd| vxd|exe|scr|chm)\"$/ REJECT Sorry, your message cannot be delivered successfully, your mail contain a FORBIDEN attachment.
I've enforced this rule on my company's gateway (9000+ mailboxes) for more than 3 years now and we have decreased the number of viruses by more than 95% ! (there's only the classical macro viruses and those embeded in
This is a very effective security improvement with a very marginal hindrance for users. The very few users who sometimes need to send an executable attachment rename it or ask their sender to rename the attachment.
http://www.transparency.org
The perl5-porters list has already been hit by this virus resulting in 200+ messages being posted over a period of two to three hours yesterday. Additionally, it was reported on this list by Elizabeth Mattijsen on this list here that the Gnome XML list has similarly been affected.
This has wierd effects though - I work in tech support and a few months ago I sent a customer a specialized driver (one you normally have to pay lots of money for) and thier email server took all the exe's and dll's out of the zip file. At least thats what he told me.
I ended up having to put this 700K program on a cd and mail it to him.
What terrifies me is that, at least where I work, people would click it anyway. It seems a depressing number of people don't actually read the contents of dialog boxes unless it is completely unexpected - they just automatically click on the button that is normally the positive action.
From the SearchSecurity article:
The worm is also called "Bagel" and "Beagle." The writer has included the word "beagle" throughout the code, but antivirus researchers have tweaked the name to avoid calling it what the writer presumably named it.
Why do the researchers avoid calling it what the author named it?
Granted, the 'bug' is in the user. However Firebird/Thunderbird (for Windows) will not let you run executables directly from the client. They make you save to disk and run it your own damn self. Tis' not a solution but the extra step would weed out the stupid AND lazy leaving just the plain stupid to propogate the virii. :)
LilMikey.com... I'll stop doing it when you sto
- Create a shell script in a noexec filesystem. For this example, we'll use
/tmp/foo.sh
- Run: '/bin/sh
/tmp/foo.sh'
Yup, the shell script, set as 'noexec', has just exec'ed. For more fun, try this:- Create and compile a C program in a noexec filesystem. For example,
/tmp/bar
- Run: '/lib/ld-linux.so.2
/tmp/bar'
- Watch the fun
http://mail.gnu.org/archive/html/bug-glibc/2001-0I can't say that I don't give a fuck. I've just run out of fuck to give.
What I believe, you need is something called Anti-Replication engine similar to ViraLock available at SentryBay. These guys claim, "Zero Escape for Email Viruses". So even if you get infected the viruses dont spread.
Hell, if every Windowz luser would use this, I guess the world would get rid of viruses.
2c
Sig: I don't have one