Help
Posted 30 November 2006 - 08:41 PM
Bagle.QS - New variant emerges after long absence
http://www.sophos.com/security/analyses/w32bagleqs.html
http://www.f-secure.com/weblog/archives/ar...6.html#00001036
Quote
We haven't seen new Bagle attacks in a while. Last one - and even that was an isolated one - was exactly a month ago. But now something's up. Some of the old Bagle update URLs activated tonight, offering a new 188kB executable. This is downloaded and run by machines infected by previous Bagle variants...and it starts to spam out infected attachments with filenames talking about price lists. The spammed emails include a GIF which shows a password needed to decode the ZIPs files.
Quote
FORMAT OF EMAIL MESSAGE:
Subject line chosen from:
* new <date>
* price<date>
* price_ <date>
* price_new <date>
Message text chosen from:
* It Is Protected Passwrd:
* thank you !!! Passwrd:
* New year's discounts Passwrd:
The attached file is named:
* new_price<date>.zip
* price_list<date>.zip
* latest_price<date>.zip
<date> == when email was sent (30-Nov-2006)
Subject line chosen from:
* new <date>
* price<date>
* price_ <date>
* price_new <date>
Message text chosen from:
* It Is Protected Passwrd:
* thank you !!! Passwrd:
* New year's discounts Passwrd:
The attached file is named:
* new_price<date>.zip
* price_list<date>.zip
* latest_price<date>.zip
<date> == when email was sent (30-Nov-2006)
Back to top
