[an error occurred while processing this directive]


Stop W32/Bagle@MM Mass Mailing Worm before it hits GroupWise
GroupWise Cool Solutions Article
by The Messaging Architects

Posted: 21 Jan 2004

::: The Messaging Architects Security Alert :::

=========================================================
Stop W32/Bagle@MM Mass Mailing Worm before it hits GroupWise
=========================================================

What is W32/Bagle@MM and how does it affect me? For those of you being hit by the Bagel worm, you can easily defend your GroupWise servers using GWGuardian+AV. If you do not currently own GWGuardian+AV, you can download a fully functional trial copy at: http://www.messagingarchitects.com/gwguardianee/?CID=1089.

This is a mass-mailing worm with a remote access component. The worm arrives in an email message with the following characteristics:

Test =)
{random characters}
--
Test, yep.

Attachment: {random_filename.EXE} 15,872 bytes => example: frjujs.exe

When users launch the attachment, it first runs the Windows Calculator program to mask the infection process. If the date is January 28, 2004 or later, the virus simply exits and does not propagate. At the same time, it copies itself to the Windows SYSTEM directory as bbeagle.exe and creates a registry key to load itself at system startup. The worm then searches files with .wab, .txt, .htm, and .html extensions on the hard disk for e- mail addresses setting in motion an aggressive e-mail harvesting program that scans all documents on the infected computer and throughout the network it is attached to and mass-mails itself to them, using the same addresses for the message's from: address.

The virus also listens on TCP port 6777 for remote connections, and attempts to run a script on a number of remote servers instructing them that it is available. According to McAfee, the script is not on any of the servers referenced in the worm.

For details on the worm visit: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100965

HOW TO AVOID INFECTION IN THE FUTURE

Messaging Architects recommends the use of email firewall software, such as GWGuardian+AV which can block all programs, whether infected or not, in order to enforce safe computing practices.

[Update Virus Scanners]
If you have not already protected against W32/Bagle@MM, we strongly recommends you update all installations of a corporate anti-virus solution in your company. If you are running GWGuardian+AV which comes with the McAfee, make sure automatic updates are enabled.

Update your corporate anti-virus software now so that you can detect and prevent the W32/Bagle@MM worm. If you do not have procedures for rapid updates, implement them now, because you are sure to need them again.

[Protocol Filtering]
While W32/Bagle@MM started gaining significant ground in the wild, it can be easily also defeated with GWGuardian in several ways. First add a protocol filter to block out with a subject line: "Hi". GWGuardian's protocol filter analyzes the message header content and rejects suspicious email messages even before it is accepted by GWIA.

[Attachment Blocks]
Another method is by setting just two simple yet effective attachment blocks. GWGuardian will block any message containing *.EXE file type.W32/Bagle@MM may appear as a variety of file names, but will always use this extension.

If you are running GroupWise 5.5, 6.0, 6.5 or even Notes, Exchange and Netmail GWGuardian will also prevent W32/Bagle@MM from ever reaching your mail server.

GWGuardian also includes many more features including 14 layers of anti-spam & anti-virus protection. Find out why so many enterprises and government organizations chose GWGuardian and to download a trial version, please visit us at: http://www.messagingarchitects.com/gwguardianee

HOW DO I REMOVE W32/BAGEL?

For those who are already infected here is an easy way to clear out the GroupWise PO of the W32/BAGEL worm. The following Novell TIDs describe how to purge infected messages your PO using GWcheck item purge feature. Although these TIDs were written to remove Code Red these same measures also apply for W32/BAGEL. Just use the subject line and attachments listed above.

GroupWise 6.0 / 6.5:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10060266.htm

GroupWise 5.5:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10052696.htm

McAfee Removal Tool
You can also use McAfee's effective remover tool that has been updated included detection and removal of this threat: http://vil.nai.com/vil/stinger/

Document Title: Stop W32/Bagle@MM Mass Mailing Worm before it hits GroupWise
Creation Date: January 19, 2004
Modified Date: January 20, 2004
GWTools Product Class: GWGuardian (all versions)

Security Response Team
The Messaging Architects
http://www.messagingarchitects.com