New Virus
Results 1 to 10 of 10

Thread: New Virus

  1. #1
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018

    Heads Up - W32/Bagle.aa@MM now in the wild (was New Virus)

    Edit: Subject Changed - See below for further details /Edit

    Some has opened something they shouldn't..

    Mass mailer - With a variety of subjects, including...

    Re: Text Message

    See attached. (NOTE LIVE VIRUS)

    Anyone heard of this...

    Steve

    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Talk to TheHorse13. Yesterday in IRC he mentioned Details.cpl being received. A use of strings command on Linux resulted in the attached file.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403

    Re: New Virus

    Originally posted here by steve.milner
    Mass mailer - With a variety of subjects, including...

    Re: Text Message
    Sounds like this one.

    Edit: Scratch that. Dumped your file and it doesn't even remotely look like W32/NetSky-AB. Will get back soon...
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    It's This : http://us.mcafee.com/virusInfo/defau...virus_k=124875

    W32/Bagle.aa@MM

    Sigh - Time to use the Beta Dat files & see how it does....

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Hmm

    AVG and eTrust EZ armor didn't spot it, and I updated them both today.

    From some of the strings it appears to come from 29a, but I havent had a chance to find their website to see if they mention it.

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    You might wanna search for a file called cplstub.exe in your %windir%. That's the file it drops.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    Originally posted here by MsMittens
    Talk to TheHorse13. Yesterday in IRC he mentioned Details.cpl being received. A use of strings command on Linux resulted in the attached file.
    Looks very similar to my strings list...

    It is confrimed as W32/Bagle.aa@MM!

    McAfee beta DAT picks it up, but not their current one (4353)

    DAT file 4354, to be released late today or tommorrow will detect it.

    So far We've seen no adverse effects with using the beta DAT if anyone else wants to take the risk.

    More user education required.

    You might wanna search for a file called cplstub.exe in your %windir%. That's the file it drops.
    Yup, I know, and it opens a port & contacts a number of sites....

    <sigh> That'll be my nice spam free email address out in the wild - I just bet you!

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    After looking over a large sample of e-mails, my little group of e-mails turned out to be a tweaked version of this:

    http://www.symantec.com/avcenter/ven...agle.w@mm.html
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The updated AntiVir files, (downloaded 5 minutes ago), detects it immediately.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    Originally posted here by Tiger Shark
    The updated AntiVir files, (downloaded 5 minutes ago), detects it immediately.
    Yeah & they've raised it to medium risk, looks like my phone call to them may have been worthwhile.

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides