Security Alert: Beagle.AG virus

Security Alert: Update on Beagle.AG e-mail virus; attachments no longer blocked (07/22/04)

The e-mail virus that was widely seen at Cornell on Mon., July 19, has been identified as W32.Beagle.AG@mm. Initially, neither PureMessage (the anti-virus filters on the mail system) nor Symantec AntiVirus could protect against it, so CIT blocked delivery of a broad range of e-mail attachments to keep the virus from spreading. (See list at http://www.cit.cornell.edu/computer/security/alerts/19july04.html )

PureMessage and Symantec AntiVirus can now detect W32.Beagle.AG@mm, so CIT has lifted the block. The central mail system is again accepting and delivering e-mail messages with attachments of any type.

If you tried to send attachments before the block was lifted, you may have noticed a Eudora dialog box saying your message couldn't be delivered because of a virus infection. This does not necessarily mean that the attachments you were trying to send had a virus. CIT is working to change the wording so it will be easier to understand when a system-wide block is in effect as a defense against viruses.

What to watch for:

W32.Beagle.AG@mm is contained in an e-mail attachment. The e-mail typically has no subject line and just a short message of one or two words. There are many variations in the name of the attachment and the short message body.

Do not open the attached file. If launched, W32.Beagle.AG@mm will infect the computer and mail itself to any e-mail addresses it finds on the computer.

For a detailed description of this worm, see Symantec's information.

How to avoid it:

Update your Symantec AntiVirus software and perform a complete system scan. If you are on a departmental network, please contact your local technical support providers with any questions about updating or scanning your system.

W32.Beagle.AG@mm is detected by Symantec AntiVirus software that has been updated to the July 19, 2004, virus definition file, or a newer file.To update, run Symantec AntiVirus and choose Live Update. Or download the file via Bear Access (Virus Protection folder) or from Symantec's download site.

Cornell University has signed a site license with Symantec to provide Symantec AntiVirus (SAV) to the entire campus community. The license allows SAV to be used on all university-owned computers, home computers of staff and faculty, and computers owned by registered students.

Also see general information about viruses that are spread by e-mail.

How to get rid of it:

Symantec has provided instructions for removing this worm. Symantec's virus removal tool (linked on that page) can also be downloaded locally -- see Standalone Virus Removal Tools and click on Beagle.../AG.

If you are on a departmental network, please contact your local technical support providers with any questions about detecting and removing infections.

Otherwise, if you need additional assistance, please contact the CIT Contact Center (HelpDesk) by calling 255-8990, by sending e-mail to helpdesk@cornell.edu, or by visiting 119 CCC. The Contact Center is open Monday-Friday from 8:00 a.m. to 5:00 p.m., with extended phone hours Monday-Thursday from 5:00 p.m. to 8:00 p.m. during the academic year. If the Contact Center is closed and your problem is urgent, contact the Network Operations Center at 255-9900.

You can receive messages like this via e-mail by subscribing to the CIT-Alert-L mailing list, which is used to distribute announcements about significant disruptions or threats to the campus computing and telecommunications environment. Visit the CIT-Alert-L subscription page

Last modified: June 04, 2007