Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Virus Alert: Alua! (Bagle.B)

  1. #1
    Junior Member
    Join Date
    Jan 2004
    Posts
    11

    Smile New virus: Alua! (Bagle.B)

    Hi,

    Anyone got hit by this new virus yet?

    Any deep informations about it would be greatly appreciated! Do you know what is the source code of the .php files it tries to execute on the websites?

    Thanks,

    Roach4

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi,

    Which AV company calls it that................unfortunately they all use different naming conventions

    What do you mean by "source code"?.............what possible use could that be..........you want the object (executable) code perhaps?

    I do hope that you are not a "naughty person"

    cheers

    EDIT: This could be terminology...

    To me: "source" is the programming language in which it is written
    "object" is the result of compiling the source. And remember, even though it is a virus it is someone else's intellectual property until they say different...............it has a prison sentence attached, but it is their property!


  3. #3
    Junior Member
    Join Date
    Jan 2004
    Posts
    11
    Originally posted here by nihil
    Hi,

    Which AV company calls it that................unfortunately they all use different naming conventions

    What do you mean by "source code"?.............what possible use could that be..........you want the object (executable) code perhaps?

    I do hope that you are not a "naughty person"

    cheers

    Symantec calls it "Alua" and some others call it "Bagle.B" ...

    The source code I mean, the code of the php file, I want to know if it is dangerous to visit this link if I'm not infected.

    And no i'm not a "naughty person"

    Thanks,

    Roach4

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Sorry mate, just terminology I suppose

    I do not have it myself yet, but I will ask around.

    Thanks I will look at the Norton site.

    Hey, when I started with computers there were no VDU screens just 80 column punched cards and "pyjama paper" printouts

    Cheers

  5. #5
    taken from http://www.trendmicro.com/vinfo/viru...e=WORM_BAGLE.B


    Description:

    TrendLabs received several reports, initially from France, of this new worm spreading via email. To control the spread of this malware, TrendLabs has declared an alert as of February 17, 2004, 6:46 AM (US Pacific Time).

    This memory-resident worm propagates by mass-mailing copies of itself using SMTP (Simple Mail Transfer Protocol).

    The email message it sends out contains the following details:

    Subject: ID %random% ... thanks
    From: <random letters>@<spoofed domain>
    Message body: Yours ID <random>
    --
    Thank
    Attachment: <random>.exe


    (Note: %Random% is composed of random letters.)

    This malware runs on Windows 95, 98, ME, NT, 2000 and XP.

    TrendLabs is currently analyzing this malware and will be providing more information.

    Solution:



    Terminating the Malware Program

    This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

    Open Windows Task Manager.
    On Windows 95/98/ME systems, press
    CTRL+ALT+DELETE
    On Windows NT/2000/XP systems, press
    CTRL+SHIFT+ESC, then click the Processes tab.
    In the list of running programs*, locate the process:
    AU.EXE
    Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
    Do the same for all detected malware files in the list of running processes.
    To check if the malware process has been terminated, close Task Manager, and then open it again.
    Close Task Manager.
    *NOTE:On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing during startup.

    Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
    In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    Au.exe = “C:\%System%\au.exe”
    Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.

    Close Registry Editor.
    NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Roach4,

    This is a mass mailing worm (MMW) it uses e-mails, php?.........websites????????????? I do not believe that you have the name right? or there is a confusion in naming between the AVs?

    Which link are you afraid of visiting?...just post it and I will let you know......and what my stuff finds on it.........if there is anything malicious

    Cheers

  7. #7
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by nihil
    Roach4,

    This is a mass mailing worm (MMW) it uses e-mails, php?.........websites????????????? I do not believe that you have the name right? or there is a confusion in naming between the AVs?

    Which link are you afraid of visiting?...just post it and I will let you know......and what my stuff finds on it.........if there is anything malicious

    Cheers
    Hi nihil, I think what he is talking about is this part of the virus:

    Sends and HTTP GET request to the following Web sites on TCP port 80:

    www.strato.de/1.php
    www.strato.de/2.php
    www.47df.de/wbboard/1.php
    www.intern.games-ring.de/2.php
    I think what he is getting at, is what will happen if he visits one of those sites. I haven't got a lab machine set-up right now or I'd go have a look.

    Cheers:

    /edit
    You can check out the Symantec write up here
    DjM

  8. #8
    Junior Member
    Join Date
    Jan 2004
    Posts
    11
    Here is what i'm talking about:

    Symantec (Alua): http://securityresponse.symantec.com...2.alua@mm.html

    Trendmicro (Bagle.B): http://www.trendmicro.com/vinfo/viru...e=WORM_BAGLE.B

    Bitdefender: http://www.bitdefender.com/bd/site/v..._id=1&v_id=193


    ...........


    Now... the links that are contacted when infected are:

    www.strato.de/1.php
    www.strato.de/2.php
    www.47df.de/wbboard/1.php
    www.intern.games-ring.de/2.php


    /edit:

    But I checked them from a linux machine and here are the results:

    --12:09:00-- http://www.strato.de/1.php
    => `1.php'
    Resolving www.strato.de... done.
    Connecting to www.strato.de[192.67.198.33]:80... connected.
    HTTP request sent, awaiting response... 404 Not Found
    12:09:00 ERROR 404: Not Found.

    --12:09:00-- http://www.strato.de/2.php
    => `2.php'
    Resolving www.strato.de... done.
    Connecting to www.strato.de[192.67.198.33]:80... connected.
    HTTP request sent, awaiting response... 404 Not Found
    12:09:01 ERROR 404: Not Found.

    --12:09:01-- http://www.47df.de/wbboard/1.php
    => `1.php'
    Resolving www.47df.de... done.
    Connecting to www.47df.de[0.0.0.0]:80... failed: Connection refused.
    --12:09:01-- http://www.intern.games-ring.de/2.php
    => `2.php'
    Resolving www.intern.games-ring.de... done.
    Connecting to www.intern.games-ring.de[217.160.214.166]:80... connected.
    HTTP request sent, awaiting response... 404 Not Found
    12:09:01 ERROR 404: Not Found.


    Strange dns resolving though... 0.0.0.0 and 192.67.198.33


    Anyways,

    There you go,

    Roach4

  9. #9
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hrm.. on the Symantec Site it says
    Note: W32.Beagle.B@mm is coded to stop on February 25th, 2004.
    I wonder if this will be like Nachi and it's being coded to stop. We are still finding infections of it on the college residence network.

    Anyways looks like I'll be adding port 8866 to the list of ports I scan in res.

    Peace,
    HT

  10. #10
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    I recieved a copy this morning and several of our users have recieved a copy today. It sounds like it is getting a little more widespread.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •