WARNING - Vast amounts of Spoof Emails are being distributed with file attachments - these attachments are copies of versions of the Beagle (Bagle) worm virus ...

We continue to receive many reports of spoofed emails purporting to be a variety of online service providers including Yahoo, Earthlink, BT, etc. Each of these emails contain a file attachment which is a copy of the Beagle (Bagle) worm virus, and a system will become infected if the attachment is opened.

We've included some of the emails that have been sent in to us (see below), but you should be aware of the following guidelines for identifying these spoofs...

How to identify spoofs containing the latest Beagle (Bagle) Worm Virus

Senders: These emails are spoofed to appear to be coming from the following email addresses of the recipients domain...

• management
• administration
• staff
• noreply
• support

For example, the sender's address may be noreply@yahoo.com if it was purporting to be from Yahoo, or may be support@btinternet.com if it was purporting to be from BT (see examples below)

Subject: This may be any one of the following...

• E-mail account disabling warning.
• E-mail account security warning.
• Email account utilization warning.
• Important notify about your e-mail account.
• Notify about using the e-mail account.
• Notify about your e-mail account utilization.
• Warning about your e-mail account.

Attachments: File attachments are randomly named with one of the following...

• Attach
• Information
• Readme
• Document
• Info
• TextDocument
• TextFile
• MoreInfo
• Message

And the file extension will be one of the following...

• .pif
• .zip

In either of these files, there is a .exe file and this is what plants the Beagle (Bagle) worm virus on your system, although the .zip file may be password protected, the password is provided within a message with the file. The size of the file attachment is usually between 11k to 13k.

 

Message text:

Introductions; may be any one of the following...

• Dear user of {domain}
• Dear user of {domain} gateway e-mail server
• Dear user of e-mail server {domain}
• Hello user of {domain} e-mail server
• Dear user of {domain} mailing system
• Dear user, the management of {domain} mailing system wants to let you know that,

{domain} is replaced by the spoofed senders domain, such as yahoo.com and normally correlates with what service the recipient is using.

First paragraph; may be any one of the following...

• Your e-mail account has been temporary disabled because of unauthorized access.
• Our main mailing server will be temporary unavaible for next two days,
  to continue receiving mail in these days you have to configure our free
  auto-forwarding service.
• Your e-mail account will be disabled because of improper using in next
  three days, if you are still wishing to use it, please, resign your
  account information.
• We warn you about some attacks on your e-mail account. Your computer may
  contain viruses, in order to keep your computer and e-mail account safe,
  please, follow the instructions.
• Our antivirus software has detected a large ammount of viruses outgoing
  from your email account, you may use our free anti-virus tool to clean up
  your computer software.
• Some of our clients complained about the spam (negative e-mail content)
  outgoing from your e-mail account. Probably, you have been infected by
  a proxy-relay trojan server. In order to keep your computer safe,
  follow the instructions.

Second Paragraph; may be any one of the following...

• For more information see the attached file.
• Further details can be obtained from attached file.
• Advanced details can be found in attached file.
• For details see the attach.
• For details see the attached file.
• For further details see the attach.
• Please, read the attach for further details.
• Pay attention on attached file.

Followed by...

• The {domain} team

Followed by...

• The Management,
• Sincerely,
• Best wishes,
• Have a good day,
• Cheers,
• Kind regards,

If the file is a .zip, then one of the following lines will be included...

• For security reasons attached file is password protected. The password is {password}.
• For security purposes the attached file is password protected. Password is {password}.
• Attached file protected with the password for security reasons. Password is {password}.
• In order to read the attach you have to use the following password: {password}.

{password} is replaced by a random 5 digit number.

Anti virus software vendors have given the Beagle worm virus any one of the following names...

W32.Beagle.K@mm
Win32.Bagle.K
Bagle.K
W32/Bagle.k@MM
W32/Bagle.K.worm
W32/Bagle-K
WORM_BAGLE.K

For more information or guidelines on removal after infection pleasse refer to any of the following antivirus vendors' sites...

Symantec - click here

Computer Associates click here

F-Secure click here

McAfee click here

Panda click here

Sophos click here

Trend Micro click here

 

Some examples of the Spoof Email ...

Yahoo..

Subject: Warning about your e-mail account.
From: staff@yahoo.com

Dear user, the management of Yahoo.com mailing
system wants to let you know that,

Our antivirus software has detected a large ammount
of viruses outgoing
from your email account, you may use our free
anti-virus tool to clean up
your computer software.

Further details can be obtained from attached
file.

In order to read the attach you have to use
the following password: 52511.

The Management,
The Yahoo.com team
http://www.yahoo.com

 

BT Internet..

from: noreply@btinternet.com
subject: Fw: E-mail account security warning.

Dear user of Btinternet.com,

Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.

Further details can be obtained from attached file.

For security reasons attached file is password protected. The password is "24704".

Cheers,
The Btinternet.com team
http://www.btinternet.com

 

Another Yahoo..

Hello user of Yahoo.com e-mail server,

Your e-mail account will be disabled because of improper using in
next
three days, if you are still wishing to use it, please, resign
your
account information.

For details see the attached file.

For security reasons attached file is password protected. The
password is "00227".

Sincerely,
The Yahoo.com team
http://www.yahoo.com

 

Earthlink..

From: management@earthlink.net
Subject: Notify about your e-mail account utilization.

Dear user of Earthlink.net gateway e-mail server,

Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information.

Advanced details can be found in attached file.

Kind regards,
The Earthlink.net team
http://www.earthlink.net