Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bagle.AD - MEDIUM RISK (Secunia/Trend)


  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:07:58 AM

Posted 05 July 2004 - 07:46 AM

This new variant of Bagle is beginning to spread with both Trend and Secunia declaring "Medium Risk"

Bagle.AD - MEDIUM RISK (Secunia/Trend)

http://secunia.com/virus_information/10447/
http://vil.nai.com/vil/content/v_126562.htm
http://www.trendmicro.com/vinfo/virusencyc...e=WORM_BAGLE.AD
http://www.sophos.com/virusinfo/analyses/w32baglead.html

To control the spread of this BAGLE variant, TrendLabs has declared a Medium Risk (YELLOW) alert as of July 5, 2004, 2:40 AM (GMT -07:00; Daylight Saving Time).

This is a mass-mailing worm with the following characteristics:

* contains its own SMTP engine to construct outgoing messages
* harvests email addresses from the victim machine
* the From: address of messages is spoofed
* attachment can be a password-protected zip file, with the password included in the message body (as plaintext or within an image).
* contains a remote access component (notification is sent to hacker)
* copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
* uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines.
* Port 1234 (TCP) open on the victim machine

From : (address is spoofed)
Subject :

* Re: Msg reply
* Re: Hello
* Re: Yahoo!
* Re: Thank you!
* Re: Thanks :thumbsup:
* RE: Text message
* Re: Document
* Incoming message
* Re: Incoming Message
* RE: Incoming Msg
* RE: Message Notify
* Notification
* Changes..
* Update
* Fax Message
* Protected message
* RE: Protected message
* Forum notify
* Site changes
* Re: Hi
* Encrypted document,0

Body Text:

* Various message bodies are used, in some cases containing the password for an encrypted attachment (either in plaintext, or within an image).

Attachment:

The following filenames are used:
* Information
* Details
* text_document
* Updates
* Readme
* Document
* Info
* Details
* MoreInfo
* Message

using one the following extensions:

* Script dropper - using one of the following file extensions:
o HTA
o VBS

* Executable, using one of the following file extensions:
o exe
o scr
o com
o cpl

* Executable dropper, CPL file with .CPL file extension.

BC AdBot (Login to Remove)

 


m



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users