A new internet virus spreading rapidly throughout the world may be propagating itself through a popular U.S. Department of Education (ED) listserve, posing a potential security risk to thousands of school systems and other education stakeholders who receive eMail transmissions via the department.

The “Bagle” or “Beagle” worm, which originated over the long holiday weekend, provided an unwelcome surprise for some educators who logged into their eMail in-boxes when school resumed Jan. 20.

The virus, which arrives in the form of an eMail with the subject line “hi” and the words “test, yep” in the body of the message, is packaged as an attachment. When the attachment is executed, it unleashes a nefarious worm that sends itself to every eMail address in the user’s address book. CNN.com reported that the worm also has the capability to select a name at random from an infected address book, then spoof that name to dupe trusting recipients into opening the infected attachment.

eSchool News first discovered that ED may be propagating the virus early Tuesday morning when several editors received the bogus transmissions. The messages–more than 10 of which had been received by editors at press time–appeared as if they originated from Kirk Winters, a public information officer for the department who is responsible for sending out “ED News,” a weekly internet newsletter delivered every Monday to thousands of subscribers to ED’s eMail listserve.

Though it’s unclear whether someone at ED actually opened the attachment, thereby permitting the spread of the worm, or whether it simply is spoofing Winters’ eMail address in hopes of fooling unsuspecting educators, a department spokesman said he believes the agency’s virus-detection software neutralized the worm automatically by removing it from infected messages before they reached recipients.

“We’ve checked with our information technology people, and our virus protection apparently stripped the virus from the message,” wrote Public Affairs Specialist Jim Bradshaw in an eMail. “In other words, individuals may have gotten a virus message, but no virus.”

eSchool News was unable to verify Bradshaw’s claim before press time. But Bradshaw added that his department is assessing the situation and will contact its eMail subscribers with any information that may be necessary to keep the worm from spreading.

Fortunately for schools, security experts say the worm–which reportedly affects only machines running the Windows operating system–is far less serious than its two most recent predecessors, SoBig and Blaster, which bogged down and, in some cases, crippled internet servers worldwide last year.

Brian King, an internet security analyst for CERT, part of the Software Engineering Institute at Carnegie Mellon University in Pennsylvania, said computer users so far have reported only minor disruptions.

One reason is that internet security companies acted quickly to update their virus patches to prevent against the spread of the worm. Also, the worm only takes effect when a user attempts to run the attached executable file. “It really takes a human to actually click on the attachment in order to spread [the virus],” King said, calling it “pretty basic.”

To avoid being infected with the virus, computer users need only heed the warnings of security experts, King said. That includes implementing a good eMail filtering system and taking care not to open attachments in the form of executable files.

But that’s sometimes easier said than done in schools, where computer users–from students to staff members–often vary widely in their degree of high-tech expertise.

“Because schools have a more diverse user community,” King said, “there is certainly some chance that they may be more susceptible to these kinds of attacks.”

To protect against that possibility, King recommends that schools align their internet filters to block messages containing executable files as attachments, “so that users don’t even have the opportunity to open these kinds of attachments,” he said.

The one real danger of the worm, he added, is that it contains a “back-door” function that enables the intruder, or propagator of the original virus, to track exactly who is executing the attachment–but only when the hacker is actually watching the user logs as the worm progresses.

Though CERT could not say how many users have been infected so far or where the virus originated from, the organization has confirmed that “Bagle” is set to expire Jan. 28.

In the meantime, experts recommend that users conduct virus scans on their machines and perform updates to their security software.


U.S. Department of Education