Bagle Worm Virus Supposedly from Spamcop

[ivarley]

Hey all -

Just got a worm in my email that claimed to be from spamcop. The message said:

"From: support[at]spamcop.net

Subject: Warning about your e-mail account.

Message:

Dear user of Spamcop.net,

Your e-mail account has been temporary disabled because of unauthorized access.

For further details see the attach.

Attached file protected with the password for security reasons. Password is 07511.

The Management,

The Spamcop.net team http://www.spamcop.net

"

Attached was "Information.zip", which my anti-virus software said was the Bagel worm (I got a very similar email yesterday from a different sender with a different message, but also with a zip file that turned out to be the bagel worm.)

Watch out! And Spamcop admins, you may wish to post news about this (or even send an email to all subscribers).

Ian

ivarley[at]spamcop.net

[ivarley]

ps - Here are the message headers:

Return-path: <stray.cat[at]verizon.net>

Received: from mac.com (smtpin03-en2 [10.13.10.148])

by ms14.mac.com (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))

with ESMTP id <0HTZ00JA8QI82G[at]ms14.mac.com> for ivarley[at]mac.com; Wed,

03 Mar 2004 00:06:08 -0800 (PST)

Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49])

by mac.com (Xserve/smtpin03/MantshX 3.0) with ESMTP id i23867bb025516 for

<ivarley[at]mac.com>; Wed, 03 Mar 2004 00:06:07 -0800 (PST)

Received: from unknown (HELO blade1.cesmail.net) (192.168.1.211)

by c60.cesmail.net with SMTP; Wed, 03 Mar 2004 03:06:07 -0500

Received: (qmail 24045 invoked by uid 1010); Wed, 03 Mar 2004 08:06:06 +0000

Received: (qmail 24016 invoked from network); Wed, 03 Mar 2004 08:06:05 +0000

Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)

by blade1.cesmail.net with SMTP; Wed, 03 Mar 2004 08:06:05 +0000

Received: (qmail 20371 invoked from network); Wed, 03 Mar 2004 08:06:05 +0000

Received: from c-24-9-106-13.client.comcast.net (HELO DF51Q941) (24.9.106.13)

by mailgate.cesmail.net with SMTP; Wed, 03 Mar 2004 08:06:04 +0000

Date: Wed, 03 Mar 2004 01:06:03 -0700

From: support[at]spamcop.net

Subject: Warning about your e-mail account.

To: ivarley[at]spamcop.net

Message-id: <bricfjnfoofxbftayok[at]spamcop.net>

MIME-version: 1.0

Content-type: multipart/mixed; boundary=--------brasubxcecnsbwhkotls

Delivered-to: spamcop-net-ivarley[at]spamcop.net

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade1

X-spam-Level:

X-spam-Status: hits=0.3 tests=NO_REAL_NAME version=2.63

X-SpamCop-Checked: 192.168.1.101 24.9.106.13

Original-recipient: rfc822;ivarley[at]mac.com

[Wazoo]

this has been covered over in the newsgroups since yesterday ... but don't think anyone's been on here yet to stick a warning anywhere that would jump out at everybody.

[StevenUnderwood]

To add my 2 cents worth, I received one overnight, but received it as a bounce from the news.spamcop.net server because they used my email address in the Return-Path but an invalid address on the news.spamcop.net server.

Unfortunately, I sent an email off to support and deputies before I thought to check here. Just sent my apoligies to both of those addresses.

[turetzsr]

...Attn deputies -- comment? But see next reply from me....

[turetzsr]

...Perhaps SpamCop does not send virus is relevant?

[yourbuddy]

Perhaps a "bagle" is the most you'll get from SpamCop ...

This worm (and many other worms) use the Windows Address Book

associated with Outlook or Outlook Express. It selects one Name from

the Address Book as a Sender, and then sends to all the other Names.

So, you got this worm/email from someone who has both your email

address and SpamCops email address in their Address Book. Often, who

this is can be determined from the headers - and you can thank them.

Another good reason for not using Outlook or Outlook Express.

[turetzsr]

...Okay, now we seem to have an official reply: Pinned: SpamCop is not sending you attachments .

[Merlyn]

Another good reason for not using Outlook or Outlook Express. 

Been using Outlook and OE for years and never had a problem. Sounds more like a user problem than a software problem but many people like to blame the software for their lack of knowledge.

[yourbuddy]

There are certain things that you shouldn't do (unless

you have absolute faith in the person sending it to you,

and even then, it could be a forged sending address).

Take great care in opening any of these attachments.

If you have a program that can filter the attachments,

have these put in a separate folder for a closer look.

The following attachments (file extensions) are used

by Viruses, Worms and Backdoor programs, and can

damage or delete files or "take-over" your computer:

.ASP - Application Service Provider

.BAT - Batch Processing (DOS Batch File)

.CMD - WinNT Command File, DOS CP/M Command Filed

.COM - Command (executable file)

.CPL - Control Panel Extension

.EXE - Executable file

.INS - Internet Communication Setting

.ISP - Internet Communication Settings

.JS - java scri_pt Source Code

.JSE - JScript Encoded scri_pt File

.OCX - Object Linking and Embedding (OLE) Control Extension

.PIF - Program Information File

.REG - Registry Data

.SCR - Screen Saver

.SHS - Shell Scrap Object File

.VBE - VBScript Encoded scri_pt File

.VBS - VBScript scri_pt File

.WSC - Windows scri_pt Component

.WSF - Windows scri_pt File

.WSH - Windows scri_pt Host Settings File

Any of the above can also be hidden in a .ZIP file, so a

.ZIP extension should be treated with great care/caution.

Practice "safe computing" - and always use a "filter".

[Merlyn]

There are certain things that you shouldn't do (unless

you have absolute faith in the person sending it to you,

and even then, it could be a forged sending address).

Take great care in opening any of these attachments.

If you have a program that can filter the attachments,

have these put in a separate folder for a closer look.

The following attachments (file extensions) are used

by Viruses, Worms and Backdoor programs, and can

damage or delete files or "take-over" your computer:

.ASP - Application Service Provider

.BAT - Batch Processing (DOS Batch File)

.CMD - WinNT Command File, DOS CP/M Command Filed

.COM - Command (executable file)

.CPL - Control Panel Extension

.EXE - Executable file

.INS - Internet Communication Setting

.ISP - Internet Communication Settings

.JS - java scri_pt Source Code

.JSE - JScript Encoded scri_pt File

.OCX - Object Linking and Embedding (OLE) Control Extension

.PIF - Program Information File

.REG - Registry Data

.SCR - Screen Saver

.SHS - Shell Scrap Object File

.VBE - VBScript Encoded scri_pt File

.VBS - VBScript scri_pt File

.WSC - Windows scri_pt Component

.WSF - Windows scri_pt File

.WSH - Windows scri_pt Host Settings File

Any of the above can also be hidden in a .ZIP file, so a

.ZIP extension should be treated with great care/caution.

Practice "safe computing" - and always use a "filter".

Nice answer!

[yourbuddy]

Merlyn ...

The propagation of most virus/worm email is the result of them using

the unencrypted Address Book of Outlook or Outlook Express, so if you

use another email program (particularly one with an encrypted Address

Book) then you will not be adding to the potential problem. Of course, if

you use AV and a Firewall and you never open an attachment, then the

use of Outlook or Outlook Express creates no problems, you're right.

[StevenUnderwood]

Most (if not all) of the recent viruses will search through many different file types looking for email addresses, including the cache files from your web browser or a text or MS Word file. The address does not need to be in the address book any more.

[yourbuddy]

Yes, correct for recent virus/worm types.

Getting "more" creative, aren't they

[AlphaCentauri]

The Bagle.I's are not just spoofing SpamCop. They get the domain name from your email address and spoof that system's administrators. And my Norton Antivirus couldn't pick it up. Turns out that .zip file really is password protected.

[Bumpkin]

The virus searches drives C: thru Z: looking for e-mail addresses in just about any type of file.... html, txt, eml, etc etc etc. This isn't just an Outlook virus. Unfortunately, I discovered that my "safe" e-mail program (non-std address books saved as encrypted text) isn't as safe as I thought. I also discovered that my "auto-updating" AV software isn't as up-to-date as I'd like it to be. In a network full of non-IT people, those two things combined set off a bad sequence of events today.

:angry:

<rant>

Thanks to a couple of whiney scri_pt kiddies who want more media coverage than the "netsky" writer, the bagle/beagle virus and mydoom virus are being updated and released daily with additional insults to each other written into the code.

My users here got a surprise education in viruses and safe computing today. I would have sworn to you last week that I had the greatest users on any network. Being smart and safe is nothing when the AV companies can't keep up with a couple kids.

</rant>

[turetzsr]

Another good reason for not using Outlook or Outlook Express. 

Been using Outlook and OE for years and never had a problem. Sounds more like a user problem than a software problem but many people like to blame the software for their lack of knowledge.

...Bravo, Merlyn!

[turetzsr]

There are certain things that you shouldn't do (unless

you have absolute faith in the person sending it to you,

and even then, it could be a forged sending address).

Take great care in opening any of these attachments.

If you have a program that can filter the attachments,

have these put in a separate folder for a closer look.

The following attachments (file extensions) are used

by Viruses, Worms and Backdoor programs, and can

damage or delete files or "take-over" your computer:

<snip>

Nice answer!

...Indeed, it was!

...Note, though, that Windows often (usually? always?) comes with a default setting that hides the display of the extensions, so what may appear to be a file called "innocent-looking.txt" may actually be "innocent-looking.txt.exe" and do lots of damage!

[yourbuddy]

Another good reason for not using Outlook or Outlook Express. 

Been using Outlook and OE for years and never had a problem. Sounds more like a user problem than a software problem but many people like to blame the software for their lack of knowledge.

...Bravo, Merlyn!

True enough ...

But having good software to begin with, will provide a good start.

[turetzsr]

Another good reason for not using Outlook or Outlook Express. 

Been using Outlook and OE for years and never had a problem. Sounds more like a user problem than a software problem but many people like to blame the software for their lack of knowledge.

...Bravo, Merlyn!

True enough ...

But having good software to begin with, will provide a good start.

...If only I had a choice and did not have to use what my employer insists I use!

[AlphaCentauri]

I don't use outlook, but I can spot the viruses before they get to my email program. I've got Mailwasher set to flag anything with a .exe, .pif, .zip, etc, extension. Then I view them in the text window. The executable extensions show up as base 64 code in addition to seeing the entire file name. The only time I've downloaded one was when I was trying to report this new version of Bagel.I to Norton, and it insists on it being a file on your computer to do so.