Jump to content

Bagle Worm Virus Supposedly from Spamcop


ivarley

Recommended Posts

Hey all -

Just got a worm in my email that claimed to be from spamcop. The message said:

"From: support[at]spamcop.net

Subject: Warning about your e-mail account.

Message:

Dear user of Spamcop.net,

Your e-mail account has been temporary disabled because of unauthorized access.

For further details see the attach.

Attached file protected with the password for security reasons. Password is 07511.

The Management,

The Spamcop.net team http://www.spamcop.net

"

Attached was "Information.zip", which my anti-virus software said was the Bagel worm (I got a very similar email yesterday from a different sender with a different message, but also with a zip file that turned out to be the bagel worm.)

Watch out! And Spamcop admins, you may wish to post news about this (or even send an email to all subscribers).

Ian

ivarley[at]spamcop.net

Link to comment
Share on other sites

ps - Here are the message headers:

Return-path: <stray.cat[at]verizon.net>

Received: from mac.com (smtpin03-en2 [10.13.10.148])

by ms14.mac.com (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))

with ESMTP id <0HTZ00JA8QI82G[at]ms14.mac.com> for ivarley[at]mac.com; Wed,

03 Mar 2004 00:06:08 -0800 (PST)

Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49])

by mac.com (Xserve/smtpin03/MantshX 3.0) with ESMTP id i23867bb025516 for

<ivarley[at]mac.com>; Wed, 03 Mar 2004 00:06:07 -0800 (PST)

Received: from unknown (HELO blade1.cesmail.net) (192.168.1.211)

by c60.cesmail.net with SMTP; Wed, 03 Mar 2004 03:06:07 -0500

Received: (qmail 24045 invoked by uid 1010); Wed, 03 Mar 2004 08:06:06 +0000

Received: (qmail 24016 invoked from network); Wed, 03 Mar 2004 08:06:05 +0000

Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)

by blade1.cesmail.net with SMTP; Wed, 03 Mar 2004 08:06:05 +0000

Received: (qmail 20371 invoked from network); Wed, 03 Mar 2004 08:06:05 +0000

Received: from c-24-9-106-13.client.comcast.net (HELO DF51Q941) (24.9.106.13)

by mailgate.cesmail.net with SMTP; Wed, 03 Mar 2004 08:06:04 +0000

Date: Wed, 03 Mar 2004 01:06:03 -0700

From: support[at]spamcop.net

Subject: Warning about your e-mail account.

To: ivarley[at]spamcop.net

Message-id: <bricfjnfoofxbftayok[at]spamcop.net>

MIME-version: 1.0

Content-type: multipart/mixed; boundary=--------brasubxcecnsbwhkotls

Delivered-to: spamcop-net-ivarley[at]spamcop.net

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade1

X-spam-Level:

X-spam-Status: hits=0.3 tests=NO_REAL_NAME version=2.63

X-SpamCop-Checked: 192.168.1.101 24.9.106.13

Original-recipient: rfc822;ivarley[at]mac.com

Link to comment
Share on other sites

To add my 2 cents worth, I received one overnight, but received it as a bounce from the news.spamcop.net server because they used my email address in the Return-Path but an invalid address on the news.spamcop.net server.

Unfortunately, I sent an email off to support and deputies before I thought to check here. Just sent my apoligies to both of those addresses.

Link to comment
Share on other sites

Perhaps a "bagle" is the most you'll get from SpamCop ... :D

This worm (and many other worms) use the Windows Address Book

associated with Outlook or Outlook Express. It selects one Name from

the Address Book as a Sender, and then sends to all the other Names.

So, you got this worm/email from someone who has both your email

address and SpamCops email address in their Address Book. Often, who

this is can be determined from the headers - and you can thank them. ;)

Another good reason for not using Outlook or Outlook Express. :rolleyes:

Link to comment
Share on other sites

Another good reason for not using Outlook or Outlook Express.  :rolleyes:

Been using Outlook and OE for years and never had a problem. Sounds more like a user problem than a software problem but many people like to blame the software for their lack of knowledge. :o

Link to comment
Share on other sites

There are certain things that you shouldn't do (unless

you have absolute faith in the person sending it to you,

and even then, it could be a forged sending address).

Take great care in opening any of these attachments.

If you have a program that can filter the attachments,

have these put in a separate folder for a closer look.

The following attachments (file extensions) are used

by Viruses, Worms and Backdoor programs, and can

damage or delete files or "take-over" your computer:

.ASP - Application Service Provider

.BAT - Batch Processing (DOS Batch File)

.CMD - WinNT Command File, DOS CP/M Command Filed

.COM - Command (executable file)

.CPL - Control Panel Extension

.EXE - Executable file

.INS - Internet Communication Setting

.ISP - Internet Communication Settings

.JS - java scri_pt Source Code

.JSE - JScript Encoded scri_pt File

.OCX - Object Linking and Embedding (OLE) Control Extension

.PIF - Program Information File

.REG - Registry Data

.SCR - Screen Saver

.SHS - Shell Scrap Object File

.VBE - VBScript Encoded scri_pt File

.VBS - VBScript scri_pt File

.WSC - Windows scri_pt Component

.WSF - Windows scri_pt File

.WSH - Windows scri_pt Host Settings File

Any of the above can also be hidden in a .ZIP file, so a

.ZIP extension should be treated with great care/caution.

Practice "safe computing" - and always use a "filter".

Link to comment
Share on other sites

There are certain things that you shouldn't do (unless

you have absolute faith in the person sending it to you,

and even then, it could be a forged sending address).

Take great care in opening any of these attachments.

If you have a program that can filter the attachments,

have these put in a separate folder for a closer look.

The following attachments (file extensions) are used

by Viruses, Worms and Backdoor programs, and can

damage or delete files or "take-over" your computer:

.ASP - Application Service Provider

.BAT - Batch Processing (DOS Batch File)

.CMD - WinNT Command File, DOS CP/M Command Filed

.COM - Command (executable file)

.CPL - Control Panel Extension

.EXE - Executable file

.INS - Internet Communication Setting

.ISP - Internet Communication Settings

.JS - java scri_pt Source Code

.JSE - JScript Encoded scri_pt File

.OCX - Object Linking and Embedding (OLE) Control Extension

.PIF - Program Information File

.REG - Registry Data

.SCR - Screen Saver

.SHS - Shell Scrap Object File

.VBE - VBScript Encoded scri_pt File

.VBS - VBScript scri_pt File

.WSC - Windows scri_pt Component

.WSF - Windows scri_pt File

.WSH - Windows scri_pt Host Settings File

Any of the above can also be hidden in a .ZIP file, so a

.ZIP extension should be treated with great care/caution.

Practice "safe computing" - and always use a "filter".

Nice answer!

Link to comment
Share on other sites

Merlyn ...

The propagation of most virus/worm email is the result of them using

the unencrypted Address Book of Outlook or Outlook Express, so if you

use another email program (particularly one with an encrypted Address

Book) then you will not be adding to the potential problem. Of course, if

you use AV and a Firewall and you never open an attachment, then the

use of Outlook or Outlook Express creates no problems, you're right.

Link to comment
Share on other sites

Most (if not all) of the recent viruses will search through many different file types looking for email addresses, including the cache files from your web browser or a text or MS Word file. The address does not need to be in the address book any more.

Link to comment
Share on other sites

The virus searches drives C: thru Z: looking for e-mail addresses in just about any type of file.... html, txt, eml, etc etc etc. This isn't just an Outlook virus. Unfortunately, I discovered that my "safe" e-mail program (non-std address books saved as encrypted text) isn't as safe as I thought. I also discovered that my "auto-updating" AV software isn't as up-to-date as I'd like it to be. In a network full of non-IT people, those two things combined set off a bad sequence of events today.

:angry:

<rant>

Thanks to a couple of whiney scri_pt kiddies who want more media coverage than the "netsky" writer, the bagle/beagle virus and mydoom virus are being updated and released daily with additional insults to each other written into the code.

My users here got a surprise education in viruses and safe computing today. I would have sworn to you last week that I had the greatest users on any network. Being smart and safe is nothing when the AV companies can't keep up with a couple kids.

</rant>

Link to comment
Share on other sites

Another good reason for not using Outlook or Outlook Express.  :rolleyes:

Been using Outlook and OE for years and never had a problem. Sounds more like a user problem than a software problem but many people like to blame the software for their lack of knowledge. :o

...Bravo, Merlyn! :D

Link to comment
Share on other sites

There are certain things that you shouldn't do (unless

you have absolute faith in the person sending it to you,

and even then, it could be a forged sending address).

Take great care in opening any of these attachments.

If you have a program that can filter the attachments,

have these put in a separate folder for a closer look.

The following attachments (file extensions) are used

by Viruses, Worms and Backdoor programs, and can

damage or delete files or "take-over" your computer:

<snip>

Nice answer!

...Indeed, it was! :D

...Note, though, that Windows often (usually? always?) comes with a default setting that hides the display of the extensions, so what may appear to be a file called "innocent-looking.txt" may actually be "innocent-looking.txt.exe" and do lots of damage! <_<

Link to comment
Share on other sites

Another good reason for not using Outlook or Outlook Express.  :rolleyes:

Been using Outlook and OE for years and never had a problem. Sounds more like a user problem than a software problem but many people like to blame the software for their lack of knowledge. :o

...Bravo, Merlyn! :D

True enough ... ;)

But having good software to begin with, will provide a good start. :rolleyes:

Link to comment
Share on other sites

Another good reason for not using Outlook or Outlook Express.  :rolleyes:

Been using Outlook and OE for years and never had a problem. Sounds more like a user problem than a software problem but many people like to blame the software for their lack of knowledge. :o

...Bravo, Merlyn! :D

True enough ... ;)

But having good software to begin with, will provide a good start. :rolleyes:

...If only I had a choice and did not have to use what my employer insists I use! :(

Link to comment
Share on other sites

I don't use outlook, but I can spot the viruses before they get to my email program. I've got Mailwasher set to flag anything with a .exe, .pif, .zip, etc, extension. Then I view them in the text window. The executable extensions show up as base 64 code in addition to seeing the entire file name. The only time I've downloaded one was when I was trying to report this new version of Bagel.I to Norton, and it insists on it being a file on your computer to do so.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...