New Virus

Printable View

April 28th, 2004, 02:37 PM
steve.milner

Heads Up - W32/Bagle.aa@MM now in the wild (was New Virus)

Edit: Subject Changed - See below for further details /Edit

Some has opened something they shouldn't..

Mass mailer - With a variety of subjects, including...

Re: Text Message

See attached. (NOTE LIVE VIRUS)

Anyone heard of this...

Steve
April 28th, 2004, 02:45 PM
MrLinus

Talk to TheHorse13. Yesterday in IRC he mentioned Details.cpl being received. A use of strings command on Linux resulted in the attached file.
April 28th, 2004, 02:53 PM
SirDice

Re: New Virus

Quote:

Originally posted here by steve.milner
Mass mailer - With a variety of subjects, including...

Re: Text Message

Sounds like this one.

Edit: Scratch that. Dumped your file and it doesn't even remotely look like W32/NetSky-AB. Will get back soon...
April 28th, 2004, 03:10 PM
steve.milner

It's This : http://us.mcafee.com/virusInfo/defau...virus_k=124875

W32/Bagle.aa@MM

Sigh - Time to use the Beta Dat files & see how it does....

Steve
April 28th, 2004, 03:12 PM
nihil

Hmm

AVG and eTrust EZ armor didn't spot it, and I updated them both today.

From some of the strings it appears to come from 29a, but I havent had a chance to find their website to see if they mention it.

Cheers
April 28th, 2004, 03:14 PM
SirDice

You might wanna search for a file called cplstub.exe in your %windir%. That's the file it drops.
April 28th, 2004, 03:32 PM
steve.milner

Quote:

Originally posted here by MsMittens
Talk to TheHorse13. Yesterday in IRC he mentioned Details.cpl being received. A use of strings command on Linux resulted in the attached file.

Looks very similar to my strings list...

It is confrimed as W32/Bagle.aa@MM!

McAfee beta DAT picks it up, but not their current one (4353)

DAT file 4354, to be released late today or tommorrow will detect it.

So far We've seen no adverse effects with using the beta DAT if anyone else wants to take the risk.

More user education required.

Quote:

You might wanna search for a file called cplstub.exe in your %windir%. That's the file it drops.

Yup, I know, and it opens a port & contacts a number of sites....

<sigh> That'll be my nice spam free email address out in the wild - I just bet you!

Steve
April 28th, 2004, 04:03 PM
thehorse13

After looking over a large sample of e-mails, my little group of e-mails turned out to be a tweaked version of this:

http://www.symantec.com/avcenter/[email protected]
April 28th, 2004, 04:37 PM
Tiger Shark

The updated AntiVir files, (downloaded 5 minutes ago), detects it immediately.
April 28th, 2004, 04:44 PM
steve.milner

Quote:

Originally posted here by Tiger Shark
The updated AntiVir files, (downloaded 5 minutes ago), detects it immediately.

Yeah & they've raised it to medium risk, looks like my phone call to them may have been worthwhile.

Steve