Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Beagle-K...

  1. #1
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424

    Beagle-K...

    Just received a copy of Beagle-K, and I must say this is some good stuff... heh.

    This is the e-mail I received:


    Dear user of Moneytronics.com,

    Your e-mail account will be disabled because of improper using in next
    three days, if you are still wishing to use it, please, resign your
    account information.

    Pay attention on attached file.

    For security reasons attached file is password protected. The password is "10186".

    Have a good day,
    The Moneytronics.com team http://www.moneytronics.com
    Sender was administration@moneytronics.com.
    Note that I own moneytronics.com...

    Here's the header info:


    Return-Path: <webmaster@rewardingtraffic.com>
    Delivered-To: referral@moneytronics.com
    Received: (qmail 18067 invoked from network); 3 Mar 2004 17:38:48 -0000
    Received: from eros.be.priorweb.net (213.193.229.18)
    by ns2.priorweb.be with QMQP; 3 Mar 2004 17:38:48 -0000
    Received: from webmaster@rewardingtraffic.com by eros by uid 1004 with qmail-scanner-1.20rc3
    (clamscan: 0.60. Clear:RC:0:.
    Processed in 1.31934 secs); 03 Mar 2004 17:38:48 -0000
    Received: from unknown (HELO amanda-kv6pe0ib) (69.132.158.213)
    by 0 with SMTP; 3 Mar 2004 17:38:47 -0000
    Date: Wed, 03 Mar 2004 12:39:02 -0500
    To: referral@moneytronics.com
    Subject: Warning about your e-mail account.
    From: administration@moneytronics.com
    Message-ID: <hrhvllovtkcrlwbjimp@moneytronics.com>
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="--------dndyiwntjxjbucdcsbyc"
    X-Qmail-Scanner-Message-ID: <107833552763825642@eros>
    X-Antivirus: avast! (VPS 0402-9, 03/03/2004), Inbound message
    X-Antivirus-Status: Clean
    The message came with a zipped password-protected exe-file (puotj.exe).
    Note that Avast didn't pick it up (I have the latest March 3 database).

    Here's the F-Secure info on Bagle/Beagle.K.

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Geeezzz...... when are we going to get a break, my gateway server is just getting hammered right now.


    Cheers:
    DjM

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Seems like a new variant or virus every few hours. I read somewhere that FSecure thinks that the virus writer is watching the AV company's web sites. When they publish a def he/she looks to see what they are keying on, alters the virus and rereleases it. Risky business if you ask me but it seems to be working. Like you DjM my servers are getting hammered with viruses too.... We got a netsky.c in before the def was avaialable that one "moron" clicked on.

    Negative: we got a few of the j variant telling our users, (including my CEO), that I was cutting off their email..... Shoulda heard the whining, (especially the CEO...<LOL&gt, even though the attachment was "securitynotice.txt" telling them that the virus had been removed. I only emailed them all a week ago telling them how to check the attachment for a txt extension by doing a "save-as" so they could see the entire name of the attachment.....<sigh>
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Don't know if its been said or not, but your AV didn't catch it because it couldn't scan it.

    The files are coming through in a password protected encrypted attachment.

    The AV scanners simply can't open them.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by phishphreek80
    Don't know if its been said or not, but your AV didn't catch it because it couldn't scan it.

    The files are coming through in a password protected encrypted attachment.

    The AV scanners simply can't open them.
    Not the case here phish, I have my gateway configured so that if the attachment is a password protected encrypted file, it gets stripped off....no questions asked

    Cheers:
    DjM

  6. #6
    Junior Member
    Join Date
    Dec 2003
    Posts
    1

    Bagle VS NetSky

    Quoting a Sans Ezine:

    "[Editor's Note (Tan): Bagle and NetSky are fighting with each other. In
    NetSky.F, researchers found the following text: "Skynet AntiVirus -
    Bagle - you are a looser!!!!" This NetSky worm variant tries to remove
    Bagle worm infection if it finds it on an infected computer. And in
    Bagle.K, a message is embedded saying, "Hey, NetSky, ***** off you
    b*tch!"] "


    Is it China VS Europe or what?

  7. #7
    Senior Member
    Join Date
    Jun 2003
    Posts
    723

    Re: Bagle VS NetSky

    Originally posted here by cbss



    Is it China VS Europe or what? [/B]
    Nope spammers vs virus writer who doesn't like spammers. Strange days indeed i guess we cheer for the lesser of two evils?
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Damn, I was just about to come back and say they must be having a virus war or stand off or something. I don't ever recall this many varients in so little time. Its getting freaking crazy!
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by phishphreek80
    Damn, I was just about to come back and say they must be having a virus war or stand off or something. I don't ever recall this many varients in so little time. Its getting freaking crazy!
    Mydoom just came out with a new one. W32.Mydoom.H@mm.

    These guys/gals get into a pissing contest and we are the ones that suffer.

    Cheers:
    DjM

  10. #10
    I just recieved this e-mail below. It was "supposedly" but it`s wasn`t sent from my ISP. The x`s are the names of my isp. attactched with a zip file. Clever.......








    There is an e-mail circulating that comes from "support@xxxxxxxsystem.com" or "staff@xxxxxxxxsystem.com" with an attachment that contains a ZIP file. THIS IS A VIRUS! DO NOT open the attachment (usually attach.zip).

    The body of the e-mail reads:

    Dear user, the management of xxxxxxxsystem.com mailing system wants to let you know that,

    Our antivirus software has detected a large amount of viruses outgoing from your e-mail account, you may use our free anti-virus tool to clean up your computer software.

    Pay attention on attached file.

    Attached file protected with the password for security reasons. Password is 23152.

    Cheers,

    The xxxxxxxxxx.com team.



    Please notice the bad grammar and spacing issues in the body of the message;a good clue that this is a phony. This email did NOT come from our company, and the sender addresses do not exist. The addresses were "spoofed" (created and placed in there by the virus). All email address to "@xxxxxxxxx.com" or "@xxxxxxxxxxx.com" are scanned for viruses; this virus most likely came into our network from a foreign email address domain name and then propagated itself within the network.

    As always, if you have questions, please call our Help Desk at xxx-xxx-xxxx. We are open from 6 am until 1am, 7 days a week.





    xxxxxxx internet support

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •