I was just looking through my bulk-mail folder, and I saw a single message with an attachment. I thought it was odd, so I looked at the subject, which read: "Hi"

Now this struck a cord with what I had just read, no more than 2 days ago, probably, about a new virus spreading around like mad. So I opened it up, and here's the text of the message:

If this isn't the Bagel virus, I don't know what is. Anyway, there's an attachment left in the message, which I havn't opened yet. I was wondering, is there any way I could open this sucker up in Linux, see what makes it tick, etc? It'd be interesting, from an educational standpoint, as to why firewalls and virus-checkers don't pick these things up all the time.

I would save it to a floppy. Mount the floppy & then view the file / attachment with a viewer... but i dont know how sophisicated viri are now!!

could you send me a copy of that virus at hotmail.
i will appreciate for it.
i want to look it up myself.

Sent. However, I don't know if the attachment got forwarded. I'd be very careful about posting your email address like that. I would've done something like linux886 <at> hotmail <dot> com or something along those lines. If the attachment didn't get forwarded, I'll send it from my Linux box.

I would attach the file here, but I'm afraid of the repercussions.

what file xtn is it?

If you guys want the email, I'll send it to you. But you have to email me first. Plus, you have to promise HERE that you won't do anything malicious with it. I don't want the FCC or anyone pounding on my door anytime soon.

My email: r_jensen11 <at> yahoo <dot> com

Huh, I had that come in about 2 weeks ago on the ezmlm list, and promptly deleted it.

--Ian

Just a quick question:

what programs, if any, can be used to view the coding of the program?

Okay, NOW I'm pissed off. Yahoo won't let me download it. I'm going to try to see if I can bypass their anti-virus somehow. Wish me luck!

Could you forward it to me as well please?

virus-analysis@thymox.uklinux.net

Cheecky email address, eh?

I too, would like to see what makes it tick I will not release it excipt on I quaerntined windows 98 box. (I want to se what it does) thank you joey.dale@elkenserver.net

-Joey

Sorry guys, but Yahoo won't let me download it, forward it, or reply with it still as an attachment.

Followup:

I think I might've found a backdoor through Yahoo's whole anti-virus check. I simply took the arguement out of the URL for the anti-virus when I copied the URL to download the file. The filesize is 15872(bytes?). At least, that's the number that registered under the filesize when I ran ls -co

If you guys want the file, I might be able to throw off the anti-virus checkers if I tarball it.

Okay, after looking at "bagel" I've come up with some conclusions:
1.a) It's funny. It says that it cannot be run in DOS mode.

1.b) It should be called "beagle", not "bagel". Whenever it references to opening files(other than [%%random%%]) it refers to a file named "beagle.exe"

2) It appears that it doesn't affect Windows 95 systems. It modifies Windows systems by changing the regestry. Here's the string:
If you guys want to look at it, email me, and I can try to arrange something. But remember, promise you won't do anything malicious with it!

Can it be run in wine?