New virus detection: Bagle.b

[fanf]

12:30: I notice lots of odd forged email, which looks like it's a virus but unlike one i've seen before. Save it to a file so I can scan it with a proper virus scanner on another machine. I come up blank. I check http://vil.nai.com/vil/newly-discovered-viruses.asp
but none of the descriptions match this virus.

12:50: I send a few copies to NAI's virus reporting address. Almost immediately get an autoreply saying that they also do not know about this virus. I check my filters, and there appears to be lots of it going through and being zapped on the way because of its executable attachment.

13:50: I get a second reply confirming that this is a new virus, with an extra.dat for detecting it. I test the extra.dat on the file I submitted and it duly detects the virus in each message.

14:00: I install the extra.dat in my email filters and it starts spotting copies almost immediately.

14:30: I send another message to NAI saying that I'm using the extra.dat in anger, and that it appears to be a fast-spreading virus.

14:50: I get a reply thanking me for my feedback and saying that they're keeping a close eye on this threat.

15:20: The threat is upgraded from Low to Medium. So far today we've filtered 4600 infected messages, of which 650 have been Bagle (60% of viruses since 14:00).

15:50: I do a run of my infected host finder. Someone in the University managed to get infected at 15:00.

16:05: 1000 copies now deleted.

17:10: Automated DAT file update gets the official fingerprint from NAI, so the extra.dat is no longer necessary. Still, it has been good for 3 hours and 1800 copies worth of protection.

Comments

[reddragdiva]

And as it appears significant, I've just added a Wikipedia entry for it. (look up "Bagle" or "Bagle worm".)

[oldbloke.livejournal.com]

We switched on our "no executable attachments" filename extension list [1] on our mailservers just a few days ago.
Fingers crossed.

[1] The MS supplied one, despite representations... blocks Access database files but not Word, Excel, or Powerpoint. bah!

[fanf]

Yes, I thoroughly recommend banning EXEs etc. -- it's particularly useful at times like this when the official AV DAT files haven't been updated yet. (I'm a little bit more on the virus ball today than usual.) We couldn't in any shape or form get away with banning Turd files though -- we get enough complaints about EXEs as it is! -- but at least the virus scanner knows about macro viruses.

BTW, you aren't responsible for this irritating behaviour are you?

2004-02-13 13:15:09 1Ard9x-0001RD-00 <= fanf2@hermes.cam.ac.uk U=fanf2 P=local-esmtp S=1155 id=Pine.SOL.4.44.0402131312380.24836-100000@red.csi.cam.ac.uk
2004-02-13 13:15:10 1Ard9x-0001RD-00 => /home_3/fanf2/inbox (fanf2@hermes.cam.ac.uk) <fanf2@cam.ac.uk> R=userforward T=address_file
2004-02-13 13:18:55 1Ard9x-0001RD-00 polymorph.mcc.ac.uk [130.88.200.5]: Connection timed out
2004-02-13 13:21:51 1Ard9x-0001RD-00 zygomorph.mcc.ac.uk [130.88.200.3]: Interrupted system call
2004-02-13 13:21:51 1Ard9x-0001RD-00 => foo@ukuug.org R=lookuphost T=smtp H=extmail1.mcc.ac.uk [130.88.203.16]
2004-02-13 13:21:51 1Ard9x-0001RD-00 -> bar@ukuug.org R=lookuphost T=smtp H=extmail1.mcc.ac.uk [130.88.203.16]
2004-02-13 13:21:51 1Ard9x-0001RD-00 Completed

Re:

[oldbloke.livejournal.com]

Well, 130.88.*.* is us. The 200s are all mission critical stuff. Not sure about the 203s. I'll ask around tomorrow. You might enquire of doctor@mcc.ac.uk - postmaster@ will only walk round to his office and pass any message on.

[glitterboy1.livejournal.com]

Someone in the University managed to get infected at 15:00.

Wasn't me, guv. I think that the recent successes in reducing the frequency of these things have made users complacent. :-(

Thanks for mentioning the extra.dat. We stuck it in later to good effect.

[oldbloke.livejournal.com]

Apparently Sophos call it Tanx-A and we started blocking it about 1pm.
Huzzah!