Network Services has kindly blocked www.werde.de (126.96.36.199) and will
add TCP port 4751 to the VLAN access list during their next update in
order to stop the worm from being to communicate on that port.
On Fri, 26 Mar 2004, Stefanie Ploof wrote:
> Network Associates has released a Stinger tool which detects and cleans up
> Beagle.U (as Bagle.u). Available remotely and locally from:
> On Fri, 26 Mar 2004, Stefanie Ploof wrote:
> > Beagle.U/Bagle.u was discovered earlier today (as in, during the night)
> > and has been increased to a medium/level 3 threat this morning due to
> > prevalence.
> > There are currently beta virus definitions which I am installing now on
> > the central virus servers. These definitions will push out to desktop
> > machines with on-campus SAV throughout the morning, but because they're
> > beta defs you will not be able to force on-campus SAV to update via Live
> > Update.
> > There are no stand-alone removal tools to detect/protect against Beagle.U
> > at the desktop leve but the UVM email gateway is detecting it.
> > Beagle.U arrives in mail messages containing the following
> > characteristics:
> > From: (spoofed - using one of the harvested email addresses)
> > Subject: (blank)
> > Body: (blank)
> > Attachment: randomly named executable, with a .EXE extension
> > The worm does not mail itself to addresses containing the following:
> > @avp.
> > @microsoft
> > The worm also opens TCP port 4751 and sends information to
> > http://www.werde.de. I have asked Network Services to block outgoing to
> > traffic to the URL and to the TCP port if possible.
> > I will update this list when stand-alone tools become available.
> > Questions or problems regarding Beagle.U should be directed to CIT
> > Helpline at [log in to unmask] or 6-2604.
> > Stefanie