Virus Alert: Alua! (Bagle.B)

Printable View

February 17th, 2004, 04:28 PM
Roach4

New virus: Alua! (Bagle.B)

Hi,

Anyone got hit by this new virus yet?

Any deep informations about it would be greatly appreciated! Do you know what is the source code of the .php files it tries to execute on the websites?

Thanks,

Roach4 :cool:
February 17th, 2004, 04:52 PM
nihil

Hi,

Which AV company calls it that................unfortunately they all use different naming conventions :(

What do you mean by "source code"?.............what possible use could that be..........you want the object (executable) code perhaps?

I do hope that you are not a "naughty person" ;)

cheers

EDIT: This could be terminology...

To me: "source" is the programming language in which it is written
"object" is the result of compiling the source. And remember, even though it is a virus it is someone else's intellectual property until they say different...............it has a prison sentence attached, but it is their property!
February 17th, 2004, 04:57 PM
Roach4

Quote:

Originally posted here by nihil
Hi,

Which AV company calls it that................unfortunately they all use different naming conventions :(

What do you mean by "source code"?.............what possible use could that be..........you want the object (executable) code perhaps?

I do hope that you are not a "naughty person" ;)

cheers

Symantec calls it "Alua" and some others call it "Bagle.B" ...

The source code I mean, the code of the php file, I want to know if it is dangerous to visit this link if I'm not infected.

And no i'm not a "naughty person" :p

Thanks,

Roach4
February 17th, 2004, 05:03 PM
nihil

Sorry mate, just terminology I suppose :)

I do not have it myself yet, but I will ask around.

Thanks I will look at the Norton site.

Hey, when I started with computers there were no VDU screens just 80 column punched cards and "pyjama paper" printouts :D

Cheers
February 17th, 2004, 05:05 PM
Soda_Popinsky

taken from http://www.trendmicro.com/vinfo/viru...e=WORM_BAGLE.B

Description:

TrendLabs received several reports, initially from France, of this new worm spreading via email. To control the spread of this malware, TrendLabs has declared an alert as of February 17, 2004, 6:46 AM (US Pacific Time).

This memory-resident worm propagates by mass-mailing copies of itself using SMTP (Simple Mail Transfer Protocol).

The email message it sends out contains the following details:

Subject: ID %random% ... thanks
From: <random letters>@<spoofed domain>
Message body: Yours ID <random>
--
Thank
Attachment: <random>.exe

(Note: %Random% is composed of random letters.)

This malware runs on Windows 95, 98, ME, NT, 2000 and XP.

TrendLabs is currently analyzing this malware and will be providing more information.

Solution:

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the process:
AU.EXE
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE:On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Au.exe = “C:\%System%\au.exe”
Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.

Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
February 17th, 2004, 05:47 PM
nihil

Roach4,

This is a mass mailing worm (MMW) it uses e-mails, php?.........websites????????????? I do not believe that you have the name right? or there is a confusion in naming between the AVs?

Which link are you afraid of visiting?...just post it and I will let you know......and what my stuff finds on it.........if there is anything malicious :D

Cheers
February 17th, 2004, 06:01 PM
DjM

Quote:

Originally posted here by nihil
Roach4,

This is a mass mailing worm (MMW) it uses e-mails, php?.........websites????????????? I do not believe that you have the name right? or there is a confusion in naming between the AVs?

Which link are you afraid of visiting?...just post it and I will let you know......and what my stuff finds on it.........if there is anything malicious :D

Cheers

Hi nihil, I think what he is talking about is this part of the virus:

Quote:

Sends and HTTP GET request to the following Web sites on TCP port 80:

www.strato.de/1.php
www.strato.de/2.php
www.47df.de/wbboard/1.php
www.intern.games-ring.de/2.php

I think what he is getting at, is what will happen if he visits one of those sites. I haven't got a lab machine set-up right now or I'd go have a look.

Cheers:

/edit
You can check out the Symantec write up here
February 17th, 2004, 06:03 PM
Roach4

Here is what i'm talking about:

Symantec (Alua): http://[email protected]

Trendmicro (Bagle.B): http://www.trendmicro.com/vinfo/viru...e=WORM_BAGLE.B

Bitdefender: http://www.bitdefender.com/bd/site/v..._id=1&v_id=193

...........

Now... the links that are contacted when infected are:

www.strato.de/1.php
www.strato.de/2.php
www.47df.de/wbboard/1.php
www.intern.games-ring.de/2.php

/edit:

But I checked them from a linux machine and here are the results:

--12:09:00-- http://www.strato.de/1.php
=> `1.php'
Resolving www.strato.de... done.
Connecting to www.strato.de[192.67.198.33]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
12:09:00 ERROR 404: Not Found.

--12:09:00-- http://www.strato.de/2.php
=> `2.php'
Resolving www.strato.de... done.
Connecting to www.strato.de[192.67.198.33]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
12:09:01 ERROR 404: Not Found.

--12:09:01-- http://www.47df.de/wbboard/1.php
=> `1.php'
Resolving www.47df.de... done.
Connecting to www.47df.de[0.0.0.0]:80... failed: Connection refused.
--12:09:01-- http://www.intern.games-ring.de/2.php
=> `2.php'
Resolving www.intern.games-ring.de... done.
Connecting to www.intern.games-ring.de[217.160.214.166]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
12:09:01 ERROR 404: Not Found.

Strange dns resolving though... 0.0.0.0 and 192.67.198.33

Anyways,

There you go,

Roach4
February 17th, 2004, 07:00 PM
HTRegz

Hrm.. on the Symantec Site it says

Quote:

Note: W32.Beagle.B@mm is coded to stop on February 25th, 2004.

I wonder if this will be like Nachi and it's being coded to stop. We are still finding infections of it on the college residence network.

Anyways looks like I'll be adding port 8866 to the list of ports I scan in res.

Peace,
HT
February 17th, 2004, 07:48 PM
CXGJarrod

I recieved a copy this morning and several of our users have recieved a copy today. It sounds like it is getting a little more widespread.
February 17th, 2004, 10:36 PM
Und3ertak3r

Roach4.. Would have helped if you had posted those links in your first post.. would have saved some un needed chatter..

All we need is a remake of Majistr or another Bugbear.. just to confuse our users no end..

cheers
February 18th, 2004, 12:38 AM
nihil

Many thanks djm...............GAME ON!!!!

I will have a go at them and see what happens.

Now I am in difficulties.................it has been a while.......and I am rusty, no, I am rust!!!

Monsieur Roach4, pardonnez moi s'il vous plait...........vous etes Francais (Canadienne) peut etre?

Awww, hell, here I go.......get back to you on another labrat if I get killed......proposed methodology:

1. Update all defences
2. Access site

If I get anything I will try it on an undefended box and see what it tries to do? then have a look at that?

You have about 10 minutes to instruct me otherwise or suggest variations....I will be doing the updates :D

Cheers
February 18th, 2004, 01:04 AM
HTRegz

Hey Hey,

Has anyone heard of any variants of the virus? A helpdesk employee has had two phone calls from people in his address book. It has a matching subject ID: <random> and an attached exe. However it's not from a spoofed address, it's from the address he uses with outlook and he doesn't have port 8866 open on his PC. Norton is scanning the machine right now (today's def. updates), however so far it has found nothing. I just thought it was interested that it had half the criteria, but not the other half.

Tyler
February 18th, 2004, 01:16 AM
nihil

Monsieur,

You will get page not found.....................I am afraid that we are too late :)

And I visited a certain favourite of mine in Australia, and loaded the full broadside :D

I really must buy a copy I suppose?

cheers