-
February 17th, 2004, 04:28 PM
#1
Junior Member
New virus: Alua! (Bagle.B)
Hi,
Anyone got hit by this new virus yet?
Any deep informations about it would be greatly appreciated! Do you know what is the source code of the .php files it tries to execute on the websites?
Thanks,
Roach4
-
February 17th, 2004, 04:52 PM
#2
Hi,
Which AV company calls it that................unfortunately they all use different naming conventions
What do you mean by "source code"?.............what possible use could that be..........you want the object (executable) code perhaps?
I do hope that you are not a "naughty person"
cheers
EDIT: This could be terminology...
To me: "source" is the programming language in which it is written
"object" is the result of compiling the source. And remember, even though it is a virus it is someone else's intellectual property until they say different...............it has a prison sentence attached, but it is their property!
-
February 17th, 2004, 04:57 PM
#3
Junior Member
-
February 17th, 2004, 05:03 PM
#4
Sorry mate, just terminology I suppose
I do not have it myself yet, but I will ask around.
Thanks I will look at the Norton site.
Hey, when I started with computers there were no VDU screens just 80 column punched cards and "pyjama paper" printouts
Cheers
-
February 17th, 2004, 05:05 PM
#5
taken from http://www.trendmicro.com/vinfo/viru...e=WORM_BAGLE.B
Description:
TrendLabs received several reports, initially from France, of this new worm spreading via email. To control the spread of this malware, TrendLabs has declared an alert as of February 17, 2004, 6:46 AM (US Pacific Time).
This memory-resident worm propagates by mass-mailing copies of itself using SMTP (Simple Mail Transfer Protocol).
The email message it sends out contains the following details:
Subject: ID %random% ... thanks
From: <random letters>@<spoofed domain>
Message body: Yours ID <random>
--
Thank
Attachment: <random>.exe
(Note: %Random% is composed of random letters.)
This malware runs on Windows 95, 98, ME, NT, 2000 and XP.
TrendLabs is currently analyzing this malware and will be providing more information.
Solution:
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the process:
AU.EXE
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE:On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Au.exe = “C:\%System%\au.exe”
Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
-
February 17th, 2004, 05:47 PM
#6
Roach4,
This is a mass mailing worm (MMW) it uses e-mails, php?.........websites????????????? I do not believe that you have the name right? or there is a confusion in naming between the AVs?
Which link are you afraid of visiting?...just post it and I will let you know......and what my stuff finds on it.........if there is anything malicious
Cheers
-
February 17th, 2004, 06:01 PM
#7
Originally posted here by nihil
Roach4,
This is a mass mailing worm (MMW) it uses e-mails, php?.........websites????????????? I do not believe that you have the name right? or there is a confusion in naming between the AVs?
Which link are you afraid of visiting?...just post it and I will let you know......and what my stuff finds on it.........if there is anything malicious
Cheers
Hi nihil, I think what he is talking about is this part of the virus:
I think what he is getting at, is what will happen if he visits one of those sites. I haven't got a lab machine set-up right now or I'd go have a look.
Cheers:
/edit
You can check out the Symantec write up here
-
February 17th, 2004, 06:03 PM
#8
Junior Member
Here is what i'm talking about:
Symantec (Alua): http://securityresponse.symantec.com...2.alua@mm.html
Trendmicro (Bagle.B): http://www.trendmicro.com/vinfo/viru...e=WORM_BAGLE.B
Bitdefender: http://www.bitdefender.com/bd/site/v..._id=1&v_id=193
...........
Now... the links that are contacted when infected are:
www.strato.de/1.php
www.strato.de/2.php
www.47df.de/wbboard/1.php
www.intern.games-ring.de/2.php
/edit:
But I checked them from a linux machine and here are the results:
--12:09:00-- http://www.strato.de/1.php
=> `1.php'
Resolving www.strato.de... done.
Connecting to www.strato.de[192.67.198.33]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
12:09:00 ERROR 404: Not Found.
--12:09:00-- http://www.strato.de/2.php
=> `2.php'
Resolving www.strato.de... done.
Connecting to www.strato.de[192.67.198.33]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
12:09:01 ERROR 404: Not Found.
--12:09:01-- http://www.47df.de/wbboard/1.php
=> `1.php'
Resolving www.47df.de... done.
Connecting to www.47df.de[0.0.0.0]:80... failed: Connection refused.
--12:09:01-- http://www.intern.games-ring.de/2.php
=> `2.php'
Resolving www.intern.games-ring.de... done.
Connecting to www.intern.games-ring.de[217.160.214.166]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
12:09:01 ERROR 404: Not Found.
Strange dns resolving though... 0.0.0.0 and 192.67.198.33
Anyways,
There you go,
Roach4
-
February 17th, 2004, 07:00 PM
#9
Hrm.. on the Symantec Site it says
Note: W32.Beagle.B@mm is coded to stop on February 25th, 2004.
I wonder if this will be like Nachi and it's being coded to stop. We are still finding infections of it on the college residence network.
Anyways looks like I'll be adding port 8866 to the list of ports I scan in res.
Peace,
HT
-
February 17th, 2004, 07:48 PM
#10
I recieved a copy this morning and several of our users have recieved a copy today. It sounds like it is getting a little more widespread.
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|