Historical Document - Last Updated Mon Dec 27 15:33:18 2004

Encrypted Virus Warning

2 March 2004

Updated 3 March 2004

There are currently several email viruses in circulation (NetSky, Moodown, Swen, Mydoom, Bagle.A ...). Most will be detected (after a short delay) by antivirus software on the TRIUMF email server and on desktop PCs running McAfee antivirus software.

Recently, we saw a new virus Bagel.J which cannot easily be detected by antivirus software on the mailserver. The following is the content of the virus: 

Subject: Warning about your e-mail account.
Date: Tue, 02 Mar 2004 15:46:43 -0800
From: staff@triumf.ca
To: you@triumf.ca

Dear  user  of Triumf.ca,
                                                                                      
Our  main mailing server will be temporary unavaible  for  next  two days,
to continue receiving  mail  in these days you  have to configure  our free
auto-forwarding service.
                                                                                      
Advanced  details can be found  in attached  file.
                                                                                      
In order to  read the attach  you have  to  use the following  password: 68551.
Best wishes,
   The Triumf.ca team                               http://www.triumf.ca
    [ Part 2, Application/OCTET-STREAM (Name: "MoreInfo.zip")  17KB. ]
and e.g. 
Date: Wed, 03 Mar 2004 10:55:07 -0700
From: support@NSERC.CA
To: ResearchGrantsOfficers@NSERC.CA
Subject: Notify about using the e-mail account.
                                                                                      
Dear user of NSERC.CA,
                                                                                      
Some of our clients complained about the spam (negative e-mail content)
outgoing  from your e-mail  account.  Probably, you have  been infected by
a  proxy-relay  trojan server. In  order  to  keep your computer safe,
follow the instructions.
                                                                                      
Further  details can  be  obtained from attached file.
                                                                                      
Best wishes,
   The NSERC.CA  team
The zipfile contains a suspicious-looking executable named "bvchxaqf.exe".

- Some suspect a "virus writing competition" - see www.norman.com

3 March 2004 - we are now blocking 7 email subjects assocoated with Bagel.J - see w32.beagle.j at Symantec

Antivirus software is able to uncompress a variety of compression and encoding schemes in order to detect viruses, but it cannot access an encrypted file.

If you are running Microsoft Windows, be extremely careful about opening attachments, even if they appear to come from people you trust. The current crop of viruses rely on getting the user to execute the attachment by "social engineering" as in the above example.

Please note: Recent viruses do not in general have a correct sending address. Do not reply to them.

Users are in general encouraged to share files by placing them on trshare and mailing a URL, rather than sending attachments.

A.Daviel