03/02/04: W32/Bagle.j@MM Virus Alert

This is a warning about a new virus/worm being spread that appears to come from random faked email addresses such as administration@ucla.edu or noreply@ucla.edu. The virus infects computers with Windows operating systems. Non-Windows operating systems, such as the Macintosh OS, cannot be infected.

This email virus includes an encrypted attachment that requires a user to enter a password provided in the email.

Please do not click on the encrypted attachment and enter the password, as you will become a transmitter of the worm by doing so.

An example of the virus email is provided below:

 
--------------------------------------------------------------------------------
Date: Tue, 02 Mar 2004 17:36:50 -0500
From: administration@ucla.edu
To: consult@ucla.edu
Subject: E-mail account disabling warning.
Parts/Attachments:
   1 Shown    13 lines  Text
   2          12 KB     Application
----------------------------------------

Dear user of Ucla.edu,

Some of  our clients  complained about the spam (negative e-mail content)
outgoing from your e-mail account. Probably, you have  been infected by
a proxy-relay trojan server. In  order to keep your computer  safe,
follow the instructions.

For  details see  the  attach.

Attached file protected  with the password for security reasons. Password is
64005.

Best  wishes,
    The Ucla.edu team                              http://www.ucla.edu
--------------------------------------------------------------------------------

You can recognize the worm with the various Subjects and Text listed below.

Subject

• E-mail account security warning.
• Notify about using the e-mail account.
• Warning about your e-mail account.
• Important notify about your e-mail account.
• Email account utilization warning.
• Notify about your e-mail account utilization.
• E-mail account disabling warning.

Body

• Your e-mail account has been temporary disabled because of unauthorized access
• Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.
• Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
• We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
• Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
• Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.

As a rule, you should never open up attachments that are suspect, expecially those that require you to enter in a password.

For more information about this virus, please see http://vil.nai.com/vil/content/v_101071.htm

You can download a cleaner called Stinger at http://vil.nai.com/vil/stinger/ if you suspect that your computer has been infected.

After you clean the virus off of your computer, we recommend that you download Sophos Antivirus free of charge at http://www.bol.ucla.edu/software/

If you already have Sophos on your computer, please run Remote Update to update your IDE (virus definition) files and the Sophos client on a Windows computer. If you are using Sophos for Macintosh, you will need to update the IDE and client manually. Please refer to the documentation on the Software Central site at: http://www.ats.ucla.edu/software/antivirus/sophos.htm .

If you have any questions, please contact us at (310)825-7452, option 1, or at consult@ucla.edu.