The W32/Bagle.J@MM Virus Fills Mailboxes; Forges Its "From:" Field

This information can be freely reproduced in any medium, as long as the information is unmodified.

This new virus infects only PC computers running Windows; Macintosh users, and users of other non-Windows operating systems cannot be infected by this virus. These users may, however, receive plenty of email from it, so its "annoyance factor" is large.

1. The W32/Bagle.J@MM variant was discovered 02 March 2004; it forges its From: address and uses a random Subject: line. The email is about 19 KB before de-MIMEing, and the attachment has a true size of 12 KB. The file contained within -- password protected in the samples we have examined -- is 12 KB also -- the file is not compressed.

2. The email appears to come from one of these addresses:
   • administration
   • management
   • noreply
   • support
   • staff

3. The Subject: line is one of the folowing:
   • E-mail account disabling warning.
   • E-mail account security warning.
   • Email account utilization warning.
   • Important notify about your e-mail account.
   • Notify about using the e-mail account
   • Notify about your e-mail account utilization.
   • Warning about your e-mail account.

4. The attachment is a ZIPped file, with a one of several names.

5. The body text contains the password for the ZIPfile, along with text similar to:

   We  warn you about some attacks  on your  e-mail  account. Your  computer  
   may contain viruses,  in order to keep your computer and e-mail account 
   safe, please, follow the instructions.
   
   Pay attention  on attached file.
   
   Attached file protected with the password for security  reasons. Password 
   is xxxxxxxx
   
   

I trust it goes without saying that you should never open unsolicited email attachments!

More information about this virus is available at NAI's Bagle.J writeup.

Bagle.J was included in the VirusScan 4332 drivers released 02 March 2004; these drivers were released in response to Bagle.J. As soon as they were available, we put them on our email gateway and they should have been propagating to U-M machines since about 23:00.

What should you do if:

• If know you are infected by Bagle.J?

  Easy: disinfect with current, top quality antivirus software. University folks can get such software here. But I recommend that you do the following first:

  There is an excellent tool that handles only a few viruses, but it handles several nasty ones particularly well. Including Bagle.J. It's NAI's free! Stinger tool (leaving our site). If you use Stinger, be sure to follow all the instructions they provide -- in particular, if you use WinME or WinXP, disabling System Restore. Otherwise, you'll be wasting time and effort. IN ADDITION I recommend booting in Safe Mode also.

  Also, note that while Stinger removes a few nasty viruses, it does NOT detect most of the 84500+ viruses known to exist -- nor does it protect you from getting reinfected. For that, you must use normal antivirus software.

  One more time: Stinger is for detection and removal only, not protection.

• You receive email you suspect is infected with Bagle.J -- or other viruses, for that matter?

  That's up to you; for suggestions, see our What to do with suspicious email document.

The URL for this document is http://www.umich.edu/~virus-busters/bagle-j.html

For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB