New Beagle Worm More Lethal
The newest version of the W32.Beagle worm is spreading rapidly on the
Internet. It is having much more success than many of its
predecessors due to its unique payloads -- an enticing message, and
its own e-mail server.
"We discovered this worm last night, shortly after its release," said
Craig Peterson, of eSecurityGuy.com. "It is delivered to its intended
victims via an e-mail message which appears to come from the
recipient's Internet Service Provider or Corporate Information
Technology Department. It even encrypts itself into an archive, and
provides the victim with a unique password which can be used to
decrypt it. Most users are unaware of its masquerade, and end up
installing the worm."
Once installed on a system, this worm opens a back door and informs
the attacker of its success and the Internet address of the now
compromised machine. This not only allows control over the victim's
machine by the attacker, but by anyone on the Internet who cares to
scan for compromised machines. "These particular types of back doors
on machines allow thieves to steal information from individuals and
companies, as well as to spread new worms and viruses by using these
compromised machines as special relays," said Peterson.
Many companies are not aware that they have criminal and civil
liability if certain types of confidential information is leaked,
although there are other liabilities. Craig pointed out that "many
business owners can lose their businesses due to the bad publicity
that an information leak can create. If a customer no longer trusts
your ability to keep their information confidential, some decide to
move on to another provider."
This worm has a very good method to get around many anti-virus e-mail
systems -- it has its own e-mail server built-in. By using its own
e-mail server to spread to other machines, it is able to by-pass any
sort of out-bound e-mail filtering that is provided by the
corporation. "Due to the lack of eSecurity understanding by most
companies, they are unable to adequately protect against this type of
attack. This one worm will cost businesses tens of millions of
What to Look For
This worm typically arrives via e-mail or file sharing networks.
E-mails will appear to come from management, administration, staff,
support or noreply, and will appear to come from the intended victim's
The worm, once installed, will also copy itself to any shared folders
on the victim's machine. It will scan the machine for directories
that contain "shar" in their names, and will use various file names to
hide itself. Any user on the same network who opens one of these
files will be infected.
What to Do
Get the latest anti-virus updates. Due to the older technology
employed by most anti-virus software you will need to get a copy of
their latest virus signature files. This is often done automatically
by the software on a periodic basis. You probably want to initiate a
manual update to ensure that you have the latest signatures.
Don't open attachments included with e-mail, even if they appear to be
from someone you respect such as your corporate IT department.
Attachments can be cleverly disguised.
Block TCP port 2745 at your firewall. No traffic should be allowed
into this port, or out from this port. This is the back door that is
used by the attackers.
Update to a behavior-based defense system, such as that provided by
Mainstream Security Services, http://www.mainstream.net/
Note that this worm is also known as W32.Beagle.A@mm