Slashdot Mirror
'Bagle' Worm Heading For A Windows PC Near You
mrSinclair writes "the 'Bagle' or 'Beagle' worm is expected to hit the U.S. by midweek, probably Tuesday as many employees return from a three-day weekend." He points to this Washington Post story (via Yahoo!), which describes the Windows mass-mailing worm as being transmitted via email as an .exe attachment and as installing "a program that lets attackers connect to infected machines, install malicious software or steal files." The article says Bagle has been detected in more than 100 countries. Other readers have sent in links to coverage at the BBC and at SearchSecurity.com.
As the article text states: "We really thought it was never going to spread because it's so stupid," said Mikko Hypponen, manager of antivirus research for F-Secure. "But people seem to be clicking on it." Just goes to show you that no matter how much cork you put on some people's pencils, they'll still manage to poke themselves in the eyeball. Honestly, who out there is so dumb that they'll run an .exe email attachment with a subject line "Test" and a body including "Yea, Test".
Mandatory computer usage licenses, anyone? ;)
It looks like the writers of the virus DOS'ed themselves (from the aformentioned Yahoo! article):
:)
Bagle also tries to download an unknown program from one of more than 30 Web sites located mostly in Germany and Russia. None of those Web sites was reachable as of Monday afternoon.
Or is it more likely that these servers in Russia and Germany were also hacked and were just being used?
In any rate, this doesn't look so bad. The searchsecurity.com article says that "Removing the worm manually is just a matter of killing "bbeagle.exe" in the Task Manager. The registry keys created by the worm also need to be removed." Hopefully this one won't be as bad as Sobig.
My blog
I'm the resident geek in my dorm, and have spent the last 24 hours getting rid of it on computers of anyone and everyone. The particular strain we saw came in an email with the subject of simply "Hi" and contained (basically) the following test.
.wab, .htm, .html, and .txt"
Hi!
This is a test.
(random string of letters)
Testy test.
The attached file was a modified version of the Windows calculator which (according to the Symantec site) "Emails all the contacts it can find inside files with the extensions
It's interesting because apparently that's ALL it does. It doesn't screw with files or settings, or run malicous code (outside the actual act of reproducing itself). It's annoying, however, because it sends emails to people who are NOT in your address book, but merely mentioned in text files somewhere on your computer. In the last 24 hours I've gotten emails with the virus from friends, random people in my university, at least one university email address that should have been run by someone who knew better, and a couple random friends-of-friends.
Also, according to Symantec, it dies on the 28th.
It was really interested to see the spread at my college. For us, it began around 1 AM Monday morning, peaked around 2, and was already slacking off by 3 AM. I know this from my own inbox, people in my dorm, and talking to people elsewhere.
I do find it currious the virus didn't DO anything. Is it just someone screwing around, a test for a future release or (as some of the more paranoid people in my dorm are suggesting) a released virus by the anti-virus companies to keep people in enough fear to demand their products.
As a side note, I also spent hours cleaning the assorted spyware and adware that builds up when people don't know how to properly use their computers....more than one person could literaly not do work becasue of the porn popups that plagued their computer.
-Trillian
F-Secure detects it, since yesterday. There's a removal tool there too.
Bagle description
... according to Symantec's Security Response (since 1/18/2004).
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
> Then you'd need to "chmod +x
.py, etc) and just go launch the script intepreter when you double-click on the file. This does not require +x access!
This all really depends on how much "Shell Integration" your Unix desktop has.
It's quite possible that a Unix Mailer would look at the file extention (.pl,
KMail was caught launching PE EXE viruses using Wine for example.
In reality, most of these mail viruses have nothing to do with OS security and everything to do with poorly designed mailers and dumb users.
...since yesterday, apparently. Good to see Grisoft keeping AVG up to date.
Oh, and they've got a little blurb on the virus too.
> installing "a program that lets attackers connect to infected machines, install malicious software or steal files."
Doesn't Windows already have to be installed?
Sheesh, evil *and* a jerk. -- Jade
We had the same executable attachment problem back when I was in school in the late '80s. Our VM Mainframe E-Mail system got shut down because of some christmas card program that remailed itself to everyone in your address book. Sound familiar?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
What, is the worm's creator going to come forward and sue the antivirus companies for trademark infringement?
Or is this a "nyaa nyaa we're not going to call it what you wanted us to call it" thing?
Je fume. Tu fumes. Nous fûmes!
You could create a priveledged system since NT. Heres a scenario for you, Linux comes preinstalled on every new computer sold and is the dominant OS. Do you think resellers would setup non-root/non-rootlike accounts for the user? It's not like they couldn't do that with 2k or XP. And what about the bagillion possible daemons that the reseller might turn on just to make things even easier for the user? do you think the reseller would educate the buyer on the importance of actually maintining a system or firewalls? *nix (as much as I love it) is not the be all, end all to this little annoyance. Education is. If people were educated on how to actually use their machine, this problem wouldn't exist.
So basically it exploits user stupidity. Thanks for putting it so eloquently :)
I just tried to download the virus, only to find that this is once again Windows-only software. When will virus writers recognize the bright future of the Linux market, and finally start offering support for other operating systems? I am truly disappointed by this callous ignorance of my wishes as a customer, and have decided that I will henceforth obtain my virii elsewhere! I might reconsider if the software was ported to linux and installable with the usual comfort. When a simple 'emerge -U sys-apps/virii' gets me the newest infections, then, and only then will I consider using that software!
:)
Note: Blatant sarcasm... but if you didn't already know that, it's hopeless anyway
Divide et impera!
Yeah, but how much time do you spend trying to make sure you don't get anything? Searching for viruses on my 2.8GHz SATA 150 through less than 30GB of data on a RAID 0 drive takes HOURS. Then another 5-10 minutes everytime you install a program to make sure it's not kitted with spyware and such crap. Besides even normal users can install stuff in linux (contained to their home directory, only), whereas you cannot in windows, which forces Windows' users to Admin up EVERY time , which GREATLY increases the virus' accessibility. Plus the file structure is alot more accessable to normal users in Windows. Remember, the UNIX backbone has been around WAY before Gates stole DOS from that poor guy. If Windows users didn't have to admin up so much, they would be less inclined to log in as root all the time. I mean, even the "Run as.." function is hidden in windows! you have to hold the Shift key down while right mouse clicking to get it! If they can't figure out how to run as/su without jumping through hoops, of cource they are going to login and run everything as admin. I NEVER run Linux as root, I ALWAYS run windows as admin. It's just too much of a pain in the @ss in windows. Does the world need better PC education, or a better OS? I think we need both.