[Information & Media Technologies]
ANNOUNCEMENT!

Virus Alert: W32/Bagle.j@mm (3/02/04)

Summary: Recipients of the Bagle.j virus will receive a message that appears to come from administrator@uwm.edu, support@uwm.edu,,management@uwm.edu or other official-looking e-mail account. The message may warn that your computer is sending out viruses, that your e-mail account is going to be closed, or that the mail server is going to be unavailable. An attachment will accompany the e-mail posing as a virus cleanup tool or other auto-forwarding service. If the attachment is opened, your computer will become infected and continue the spread of the virus to other campus users.

Solution: UWM will never send virus removal tools or other utilities via e-mail attachments. These e-mails are not being sent by UWM, and none of the contents of these message is accurate.Virus writers will do anything to try to trick you into opening file attachments so that their virus can propogate and they can take control of your computer. Never open e-mail attachments even if they appear to be from a reputable e-mail address or contain information that appears to be legitimate. See below for further virus details and removal information.

Detailed Information:
A new virus appearing to come from "The Uwm.edu team" hit the campus around 3:30 on Tuesday, March 2nd, 2004. This virus has been classified as Bagle.j by Network Associates. As of 4pm on Wednesday, March 3rd, approximately 100 computers have been infected. It is important to note that these e-mails are not originating from UWM.

Bagle.j characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests email addresses from the victim's machine
  • spoofs the From: address to make it more difficult to determine who is infected
  • contains an attachment that can be a password-protected zip file, with the password included in the message body.
  • contains a remote access component (notification is sent to hacker)
  • copies itself to folders that have the phrase "shar" in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

The subject of the e-mail will be one of the following:

  • E-mail account security warning.
  • Notify about using the e-mail account.
  • Warning about your e-mail account.
  • Important notify about your e-mail account.
  • Email account utilization warning.
  • Notify about your e-mail account utilization.
  • E-mail account disabling warning.

The body of the e-mail will have a greeting:

  • Dear user of Uwm.edu
  • Dear user of Uwm.edu gateway e-mail server
  • Dear user of e-mail server "Uwm.edu"
  • Hello user of Uwm.edu e-mail server
  • Dear user of "Uwm.edu" mailing system
  • Dear user, the management of Uwm.edu mailing system wants to let you know that

The body of the message will be one of the following:

  • Your e-mail account has been temporary disabled because of unauthorized access.
  • Our main mailing server will be temporary unavailable for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.
  • Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
  • We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
  • Our antivirus software has detected a large amount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
  • Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.

Here is an example of a possible e-mail that you may receive:

 

This virus also attempts to terminate the process of virus and security programs to prevent updated virus definitions. McAfee is included in the list of processes that the
virus attempts to block.

More information on Bagle.j is available from:
http://vil.nai.com/vil/content/v_101071.htm
http://www.sarc.com/avcenter/venc/data/w32.beagle.j@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.J
http://www.europe.f-secure.com/v-descs/bagle_j.shtml

Removal and cleanup tools for Bagle.j are available from:
ftp://ftp.uwm.edu/pub/software/Mcafee/removal_tools/bagle.j/

The virus definitions on the mail servers have been updated and are catching many of these viruses. Virus e-mail sent to users not on the new mail servers, and to reflectors however, will still be delivered.

McAfee has released DAT version 4332 to detect the Bagle.j and a new virus. The ePO
server and the UWM FTP site have been updated with DAT 4332. Users using the ePO service ( http://www.uwm.edu/IMT/purchase/epo.html ) will receive these updates automatically. Other McAfee VirusScan users should ensure that they are updated by clicking on START -> PROGRAMS -> NETWORK ASSOCIATES -> UPDATE VIRUS DEFINITIONS. Alternately, you can download and run the DAT manually from:
ftp://ftp.uwm.edu/pub/software/Mcafee/DAT/

Auxilary services has requested that outgoing SMTP port 25 be blocked in the dormatories due to the number of infections on student computers. This will prevent the virus from e-mailing itself out to other users. However, this will also prevent sending genuine messages from Outlook Express, Netscape, Mozilla, Eudora and other mail clients. Until this the virus crisis is resolved, dorm users will need to use PantherMail in order to send e-mails from their dorm rooms.

As always, education is the best tool to prevent the spread of viruses. Please ensure that everyone you know is familiar with the virus prevention tips available from:
http://www.networkassociates.com/us/security/resources/av_tips.htm
http://www.uwm.edu/IMT/purchase/virusprotect.html

Virus writers rely on the carelessness and/or ignorance of users in order to spread their viruses. Virus protection software will NOT catch all viruses, especially new ones. Please do not open any e-mail attachments unless you are expecting an attachment, and know with certainty exactly who the e-mail is from.

It appears that the virus onslaught over the past few weeks has been a "war" of sorts between different factions of virus writers. Interesting articles containing more information can be found at:
http://antivirus.about.com/b/a/069462.htm
http://www.cmpnetasia.com/ViewArt.cfm?Artid=23047&Catid=3&subcat=50

Information & Media Technologies, University of Wisconsin-Milwaukee, PO Box 413, Milwaukee, WI   53201
Administrative Offices: Sabin Hall 390  PHONE: 414-229-4616   FAX: 414-229-4777
Copyright 2004, University of Wisconsin-Milwaukee
This page maintained by: :mhostad@uwm.edu

Last Updated: March 3, 2004