funsec mailing list archives
Re: ? - I don't know where to send this one, so I'm sending it here...
From: "Mary Landesman" <mlande () bellsouth net>
Date: Wed, 2 Nov 2005 15:34:53 -0500
On November 1st, three new variants of Bagle were reported and two more have been discovered today. Each was seeded in email. The zip attachments for all five use the following filenames: Business_dealing.zip Business.zip Health_and_knowledge.zip Info_prices.zip max.zip sms_text.zip text_sms.zip The_new_prices.zip These zip files contain an executable that has been named differently for each discovered variant: loader.exe MD5: 7b2f9ddebd027d54e36408c89804afdb W32/Bagle.dk (McAfee) t_535475.exe MD5: 8275444ac2caac4b90bfd07d0b2b17be W32/Bagle.dl (McAfee) text.exe MD5: 18ae7a2fa4dbbf703c3ae157f224186a W32/Bagle.dm (McAfee) Text5546.exe MD5: 4a68d23367d8aaf9fe9217f7f9f98bf1 Email-Worm.Win32.Bagle.eb (Kaspersky) 1.exe MD5: ace16db59167005a4d408ed677351f93 Each of the three discovered on November 1st copied themselves to the Windows System directory as HLOADER_EXE.EXE. Each of the three dropped HLEADER_DLL.DLL to that same directory and injected this DLL into the Explorer.exe process. The DLL contains a list of websites (which varies by variant) from which to check for downloadable malware. In all three of the November 1st variants, both the HKCU and HKLM Run keys were modified to add: "auto_hloader_key" = C:\WINNT\SYSTEM32\HLOADER_EXE.EXE I'm guessing the two discovered thus far today will have similar routines. Regards, -- Mary ----- Original Message ----- From: "Rob Thompson" <my.security.lists () gmail com> To: <funsec () linuxbox org> Sent: Wednesday, November 02, 2005 2:18 PM Subject: [funsec] ? - I don't know where to send this one,so I'm sending it here... Howdy all... I have a few customers of mine that are getting e-mails that are a little off... I don't really know where to start with this. Basically, they are getting e-mails to themselves from themselves at a different domain. A file is attached (I am not including it in this e-mail but will send it to those who request it should they so desire) in a zip named "Info_prices.zip" within the zip is a file called "Text5546.exe". I have Googled the file name for both the zip and executable and am coming up with nothing. OH - the subject line is just "FW:" it's a forwarded message that is blank. I went to Symantec to try to submit a copy of the virus but apparently I have to own a copy of their AV product and we don't use it here at work. Also, the vendor we do use is showing nothing in the a/v scan AND they don't have a virus submit page either. Anyone have any advice? I fear that this may be something new, but don't know how to confirm it. -- Rob _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- ? - I don't know where to send this one, so I'm sending it here... Rob Thompson (Nov 02)
- Re: ? - I don't know where to send this one, so I'm sending it here... Jonathan Glass (Nov 02)
- Re: ? - I don't know where to send this one, so I'm sending it here... Rob Thompson (Nov 02)
- Re: ? - I don't know where to send this one, so I'm sending it here... Scott Blomquist (Nov 02)
- Re: ? - I don't know where to send this one, so I'm sending it here... Mary Landesman (Nov 02)
- Re: ? - I don't know where to send this one, so I'm sending it here... Rob Thompson (Nov 02)
- <Possible follow-ups>
- RE: ? - I don't know where to send this one, so I'm sending it here... Young, Keith (Nov 02)
- Re: ? - I don't know where to send this one, so I'm sending it here... Jonathan Glass (Nov 02)