Hi,
Anyone got hit by this new virus yet?
Any deep informations about it would be greatly appreciated! Do you know what is the source code of the .php files it tries to execute on the websites?
Thanks,
Roach4 :cool:
Printable View
Hi,
Anyone got hit by this new virus yet?
Any deep informations about it would be greatly appreciated! Do you know what is the source code of the .php files it tries to execute on the websites?
Thanks,
Roach4 :cool:
Hi,
Which AV company calls it that................unfortunately they all use different naming conventions :(
What do you mean by "source code"?.............what possible use could that be..........you want the object (executable) code perhaps?
I do hope that you are not a "naughty person" ;)
cheers
EDIT: This could be terminology...
To me: "source" is the programming language in which it is written
"object" is the result of compiling the source. And remember, even though it is a virus it is someone else's intellectual property until they say different...............it has a prison sentence attached, but it is their property!
Quote:
Originally posted here by nihil
Hi,
Which AV company calls it that................unfortunately they all use different naming conventions :(
What do you mean by "source code"?.............what possible use could that be..........you want the object (executable) code perhaps?
I do hope that you are not a "naughty person" ;)
cheers
Symantec calls it "Alua" and some others call it "Bagle.B" ...
The source code I mean, the code of the php file, I want to know if it is dangerous to visit this link if I'm not infected.
And no i'm not a "naughty person" :p
Thanks,
Roach4
Sorry mate, just terminology I suppose :)
I do not have it myself yet, but I will ask around.
Thanks I will look at the Norton site.
Hey, when I started with computers there were no VDU screens just 80 column punched cards and "pyjama paper" printouts :D
Cheers
taken from http://www.trendmicro.com/vinfo/viru...e=WORM_BAGLE.B
Description:
TrendLabs received several reports, initially from France, of this new worm spreading via email. To control the spread of this malware, TrendLabs has declared an alert as of February 17, 2004, 6:46 AM (US Pacific Time).
This memory-resident worm propagates by mass-mailing copies of itself using SMTP (Simple Mail Transfer Protocol).
The email message it sends out contains the following details:
Subject: ID %random% ... thanks
From: <random letters>@<spoofed domain>
Message body: Yours ID <random>
--
Thank
Attachment: <random>.exe
(Note: %Random% is composed of random letters.)
This malware runs on Windows 95, 98, ME, NT, 2000 and XP.
TrendLabs is currently analyzing this malware and will be providing more information.
Solution:
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the process:
AU.EXE
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE:On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Au.exe = “C:\%System%\au.exe”
Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Roach4,
This is a mass mailing worm (MMW) it uses e-mails, php?.........websites????????????? I do not believe that you have the name right? or there is a confusion in naming between the AVs?
Which link are you afraid of visiting?...just post it and I will let you know......and what my stuff finds on it.........if there is anything malicious :D
Cheers
Hi nihil, I think what he is talking about is this part of the virus:Quote:
Originally posted here by nihil
Roach4,
This is a mass mailing worm (MMW) it uses e-mails, php?.........websites????????????? I do not believe that you have the name right? or there is a confusion in naming between the AVs?
Which link are you afraid of visiting?...just post it and I will let you know......and what my stuff finds on it.........if there is anything malicious :D
Cheers
I think what he is getting at, is what will happen if he visits one of those sites. I haven't got a lab machine set-up right now or I'd go have a look.Quote:
Sends and HTTP GET request to the following Web sites on TCP port 80:
www.strato.de/1.php
www.strato.de/2.php
www.47df.de/wbboard/1.php
www.intern.games-ring.de/2.php
Cheers:
/edit
You can check out the Symantec write up here
Here is what i'm talking about:
Symantec (Alua): http://[email protected]
Trendmicro (Bagle.B): http://www.trendmicro.com/vinfo/viru...e=WORM_BAGLE.B
Bitdefender: http://www.bitdefender.com/bd/site/v..._id=1&v_id=193
...........
Now... the links that are contacted when infected are:
www.strato.de/1.php
www.strato.de/2.php
www.47df.de/wbboard/1.php
www.intern.games-ring.de/2.php
/edit:
But I checked them from a linux machine and here are the results:
--12:09:00-- http://www.strato.de/1.php
=> `1.php'
Resolving www.strato.de... done.
Connecting to www.strato.de[192.67.198.33]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
12:09:00 ERROR 404: Not Found.
--12:09:00-- http://www.strato.de/2.php
=> `2.php'
Resolving www.strato.de... done.
Connecting to www.strato.de[192.67.198.33]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
12:09:01 ERROR 404: Not Found.
--12:09:01-- http://www.47df.de/wbboard/1.php
=> `1.php'
Resolving www.47df.de... done.
Connecting to www.47df.de[0.0.0.0]:80... failed: Connection refused.
--12:09:01-- http://www.intern.games-ring.de/2.php
=> `2.php'
Resolving www.intern.games-ring.de... done.
Connecting to www.intern.games-ring.de[217.160.214.166]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
12:09:01 ERROR 404: Not Found.
Strange dns resolving though... 0.0.0.0 and 192.67.198.33
Anyways,
There you go,
Roach4
Hrm.. on the Symantec Site it says
I wonder if this will be like Nachi and it's being coded to stop. We are still finding infections of it on the college residence network.Quote:
Note: W32.Beagle.B@mm is coded to stop on February 25th, 2004.
Anyways looks like I'll be adding port 8866 to the list of ports I scan in res.
Peace,
HT
I recieved a copy this morning and several of our users have recieved a copy today. It sounds like it is getting a little more widespread.