The W32/Bagle.Z@MM Virus Fills Mailboxes; Forges Its "From:" Field

This information can be freely reproduced in any medium, as long as the information is unmodified.

This virus infects only PC computers running Windows; Macintosh users, and users of other non-Windows operating systems cannot be infected by this virus. These users may, however, receive plenty of email from it, so its "annoyance factor" is large.

1. The W32/Bagle.Z@MM variant was discovered 26 April 2004; it forges its From: address and uses a random Subject: line. The email comes in two flavors, one of which is about 54 KB before de-MIMEing, while the other is closer to 184 KB. The end result, after deMIMEing and perhaps other post-processing, is a file of at least 39 KB, and sometimes longer because the virus appends random junk at the end.

   Basically, this is another boring Bagle variant - the 26th one so far. Ho hum; see the URLs below for all the gory details. But for the sake of completeness, here are some of its properties:

2. The email appears from addresses that are harvested from the infected machine, or from an internal list. In any event, these addresses are forged.

3. The Subject: line is one of many possibilities

4. The attachment can be a file with an extension of .exe, .com, .cpl, .hta, .scr, or .vbs, or

5. The attachment can be a ZIPped file, with a one of several names.

6. When a ZIPfile, sometimes it is encrypted with a password, and the body text contains the password for the ZIPfile, with the password in the body text (sometimes as a graphic)

7. The virus can spread via peer-to-peer networks like KaZaA

8. The virus contains a remote access component so that the victimized computer can be hacked.

I trust it goes without saying that you should never open unsolicited email attachments!

More information about this virus is available in writeups at e.g., NAI (leaving our site) and F-Secure (leaving our site).

Bagle.Z was included in the VirusScan 4353 drivers released 26 April 2004; these drivers were released in response to Bagle.Z. As soon as they were available, we put them on our email gateway and they should have been propagating to U-M machines since about 17:00 that day.

What should you do if:

• If know you are infected by Bagle.Z?

  Easy: disinfect with current, top quality antivirus software. University folks can get such software here. But I recommend that you do the following first:

  There is an excellent tool that handles only a few viruses, but it handles several nasty ones particularly well. Including Bagle.Z. It's NAI's free! Stinger tool (leaving our site). If you use Stinger, be sure to follow all the instructions they provide -- in particular, if you use WinME or WinXP, disabling System Restore. Otherwise, you'll be wasting time and effort. IN ADDITION I recommend booting in Safe Mode also.

  Also, note that while Stinger removes a few nasty viruses, it does NOT detect most of the 89000+ viruses known to exist -- nor does it protect you from getting reinfected. For that, you must use normal antivirus software.

  One more time: Stinger is for detection and removal only, not protection.

• You receive email you suspect is infected with Bagle.Z -- or other viruses, for that matter?

  That's up to you; for suggestions, see our What to do with suspicious email document.

  Also, for a better understanding of why you may continue to see evidence of Bagle.Z -- or other similar viruses -- long after they are blocked on the email gateway see our Viruses That Send Email with Forged "From:" Fields document.

The URL for this document is http://www.umich.edu/~virus-busters/bagle-z.html

For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB