From Full Disclosure Jan 18, 2004:

This possible worm outbreak warning was received on TH-Research (The
Trojan Horses Research Mailing List) from Moosoft Development
(www.moosoft.com) a few hours ago.

AV and AT firms have had a few hours to update their databases.

Info can be found only on Kaspersky's web page, so far:
http://www.viruslist.com/eng/alert.html?id=783050

Let's hope it is stopped before it can do too much damage!

This email comes and an heads-up and FYI so you can take measures to
stop it.

Gadi Evron

The Trojan Horses Research Mailing List - http://ecompute.org/th-list

Further info:


Subject: More info on blocking the Bagle worm

Since it does not appear on the URL provided (again below, on viruslist,
not the Kaspersky web page, oops, sorry).

From MooSoft (Daniel):

Here is the URL list, all 404 last I checked:
http://www.elrasshop.de/1.php
http://www.it-msc.de/1.php
http://********yourfree.net/1.php
http://www.dmdesign.de/1.php
http://64.176.228.13/1.php
http://www.leonzernitsky.com/1.php
http://216.98.136.248/1.php
http://216.98.134.247/1.php
http://www.cdromca.com/1.php
http://www.kunst-in-templin.de/1.php
http://vipweb.ru/1.php
http://antol-co.ru/1.php
http://www.bags-dostavka.mags.ru/1.php
http://www.5x12.ru/1.php
http://bose-audio.net/1.php
http://www.sttngdata.de/1.php
http://wh9.tu-dresden.de/1.php
http://www.micronuke.net/1.php
http://www.stadthagen.org/1.php
http://www.beasty-cars.de/1.php
http://www.polohexe.de/1.php
http://www.bino88.de/1.php
http://www.grefrathpaenz.de/1.php
http://www.bhamidy.de/1.php
http://www.mystic-vws.de/1.php
http://www.auto-hobby-essen.de/1.php
http://www.polozicke.de/1.php
http://www.twr-music.de/1.php
http://www.sc-erbendorf.de/1.php
http://www.montania.de/1.php
http://www.medi-martin.de/1.php
http://vvcgn.de/1.php
http://www.ballonfoto.com/1.php
http://www.marder-gmbh.de/1.php
http://www.dvd-filme.com/1.php
http://www.smeangol.com/1.php


Viruslist has this info on it:

http://www.viruslist.com/eng/alert.html?id=783050

Why don't people wise up?

http://www.diamondcs.com.au

Get Registry Prot....................use it.......it will warn you of attempts to change the Registry...just say "no"

If something INTELLIGENT does not work......try it again and say yes............

And if you think that "something intelligent" is the crap attachment that "Mary in finance" just sent you.....you BOTH deserve to be fired..........maybe I should crusade in that direction..............instant dismissals, loss of pension rights? thrown out of school/college...unemployable?...........a new crime?...."crass stupidity in possession of a computer"?

There is so much good advice given on this site............but no one seems to listen?


Guess I am getting cynical?

Cheers

I think we were having this discussion elsewhere. It's called the Microsoft Society/Generation. :)

Why not wise up even more and DON'T OPEN ATTACHMENTS????

you are just asking way to much nihil.

He likes to confuse people with common sense :D

EDIT: Thanks Mittens!!

Now listed as High Risk

We're seeing lots of this attempting to get through the mail server....

To no avail I might add.

Steve

Further information appeared on Full Disclosure this morning:

New information on the worm:

Status of the web pages this worm tries to connect to is still unclear.

Some vendors report it downloading a certain Trojan, but we see no
information on that so far since the web pages status is still unclear,
as mentioned.

Mcafee also reports it listening on port 6777.

The worm tries to connect to the following hacked box: 151.201.0.39.

Finally now all AV products "speak" of this worm.
Response times for detecting/cleaning/webpages updates were not so good.

As I mentioned earlier, Kaspersky and The Cleaner (MooSoft) were the
noticeable exceptions.

Ahhhhh pretty picture..oooooooo click here
ooooo faster downloads.mmmmmm click here
eeeek prevent nasty bill gates spying in me.. click here
Wooot.. The screen is flashing I have won something...Click here


Cure that and cure 80% of pc problems.. if *nix platform becomes the dominant Platform.. it to will suffer the same commercial crap.. but the end user and their Blue Haze Glaze, and CBS mentality.. the story will continue.. just the scenery will be different (pse note this is not a Pro M$ comment)
As has been commented.. the weakest link.. the user..

my last 2 virus infections.. my stupidity.. (well my daughter realy.. she opened the email's.. but I hadn't updated the AV.. did I.. or was it AVG's fault.. nah my fault.. I know.. that ***** at the news stand, who ran out of PC World Mags that week. yeh all of my recent virus infections are his fault)..

Try this.. Since MSBlaster hit.. every PC sold through our store.. has had the relevent patches installed.. that is untill Christmas.. you see I went to sales full time.. suddenly all pc's sold had blaster.. guess who's fault??? ... Boss says Charge the customer, it isn't a hardware fault, or the customer can take it up with the supplier.. .. I make up a brochure and a CD and give it to customers.. Boss removes same from the shop.. if the customer system is infected.. to bad.. they pay the Service section to have it removed.. I tell him where to stick his time clock..

Bottom line .. User stupidity Second.. Retail oppertunity is the primary cause..

Oh yes ams MsM.. Thanks for the headsup..

Appreciated..

Cheers (still Dirty) Undies

Und3ertak3r,

Chill out, your boss is a "Richard Cranium Esquire", if you sell something defective, you are in trouble, I think that your boss is living on borrowed time?

Hey, if it gets through to the media that your store is selling stuff that is already infected when it comes out of the box, or even not properly patched? he is in big trouble :D

I do hope he knows how to lose, because he is about to..........big time

It is a bloody irresponsible attitude anyway, I just hope that he does not have a wife and children..it's not their fault.

Good luck mate

Johnno

# 2004-01-19
A new virus definition file is available at the download area.

# 2004-01-18
A new variant of the worm "worm/Bagle.A" is in the wild. A current virus definition file is available at the download area.


H+BEDV AntiVir has released an update as well.
Cheers,
cgkanchi

Also Grisoft (http://www.grisoft.cz) (AVG) has an update.. (auto update works too ;))

http://www.grisoft.cz/virbase/virbase.php?qvirus_name=Bagle&action=search&lng=us&type=web

BTW: I didn't say earlier .. THANK YOU MsMittens for the information.. It was very timely..

Certainly helped here (well to help customers that is)


Cheers

<edit> Noticed a local news report regarding this worm. Advice to Computer Users..
"Don't open emails ending in .exe"
"don't open emails with attachments"
ho hum.. can't even read the script?.. couldn't read/understand the press release from CA.. (good onya Ten Network Australia.. reaffirmed my oppinion of aussi media)

Yes MsMittens, thank you for the heads up. This one is receiving a fair amount of media attention, I've heard a few of the DJ's on the radio here at work mention it as well as being the subject of many Internet news sites.

We just caught our first instance of being sent this a few minutes ago - I was a little surprised that it hadn't shown up here yet... Caught and quarantined at the mail server of course :)

The worm opens port 6777 to listen for commands. The backdoor function allows the attacker to download files and execute commands on the infected computer.

Great another toy for spammers and script kiddies to play with. :(

Just received on Full Disclosure. Might be of benefit for some here:

Mail from Joe Stewart <jstewart@lurhq.com>

If you can't wait till January 28, Bagle has a remote uninstall command
which can be sent over port 6777, the port also used to upload the
second stage.

For instance, using perl and netcat, you could send the uninstall
command with the one-liner below:
perl -e 'print "\x43\xff\xff\xff\x00\x00\x00\x00\x0412\x00"' \
| nc infected_host_IP 6777

When the command bytes above are received by an infected host, the virus
will exit and delete its executable (using a batch script after the
fact). The registry keys are not removed.

-Joe

http://msn-cnet.com.com/2100-7349_3-5143726.html?part=msn-cnet&subj=ns_5143726&tag=msn_home

Looks like it's starting to calm down a little bit.

program's blueprint is similar to that of the Sobig virus, which started attacking computers a year ago. Like Sobig, Bagle uses its own home-brewed e-mail program to send messages quickly,

In other words, a copycat. The fact that it has it's own e-mail engine is interesting (from a computer forensics standpoint) I didn't know it had that capability...I can hardly wait until they learn to limit the number of packets their malware sends out. Past viri tend to choke themselves before they really get going ( before any body gets wound up... viri writers are already talking about this, I didn't invent it)