Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bagle.CZ - New variant uses CPL extension


  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:01:39 PM

Posted 12 September 2005 - 03:57 PM

Bagle.CZ - New variant uses CPL extension

This new variant was massively spammed via email and while the downloader component doesn't appear to be working, this new variant can deactivate existing AV or FW software installed on the PC. The CPL extensions are typically found inside of a zipped archieve

McAfee information on this massively spammed variant
http://vil.nai.com/vil/content/v_129588.htm

Trend information
http://secunia.com/virus_information/21411/trojbagle.cz/

Sophos information
http://www.sophos.com/virusinfo/analyses/trojdropperbc.html

ISC information
http://isc.sans.org/diary.php?storyid=665

Multiple new variants of this threat were recently mass spammed.  Filenames include 1.cpl and price.cpl and may arrive in a ZIP file named newprice.zip , price_09.zip, price some number.zip , etc

The variants seen thus far are non functional, and deemed a low risk.  The first such variant drops a corrupt file (ceeweewe.exe) to the %windir%.  The corrupt file is detected as W32/Bagle.dam.  Detection will be enhanced in the 4580 DAT release to detect and delete these newly discovered damaged variants.  This is a generic detection covering many variants of the W32/Bagle@MM virus when sent in "CPL" format.



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users