Re: ? - I don't know where to send this one, so I'm sending it here...

["Mary Landesman" <mlande () bellsouth net>]

On November 1st, three new variants of Bagle were reported and two more have
been discovered today. Each was seeded in email. The zip attachments for all
five use the following filenames:

Business_dealing.zip
Business.zip
Health_and_knowledge.zip
Info_prices.zip
max.zip
sms_text.zip
text_sms.zip
The_new_prices.zip

These zip files contain an executable that has been named differently for
each discovered variant:

loader.exe
MD5: 7b2f9ddebd027d54e36408c89804afdb
W32/Bagle.dk (McAfee)

t_535475.exe
MD5: 8275444ac2caac4b90bfd07d0b2b17be
W32/Bagle.dl (McAfee)

text.exe
MD5: 18ae7a2fa4dbbf703c3ae157f224186a
W32/Bagle.dm (McAfee)

Text5546.exe
MD5: 4a68d23367d8aaf9fe9217f7f9f98bf1
Email-Worm.Win32.Bagle.eb (Kaspersky)

1.exe
MD5: ace16db59167005a4d408ed677351f93

Each of the three discovered on November 1st copied themselves to the
Windows System directory as HLOADER_EXE.EXE. Each of the three dropped
HLEADER_DLL.DLL to that same directory and injected this DLL into the
Explorer.exe process. The DLL contains a list of websites (which varies by
variant) from which to check for downloadable malware. In all three of the
November 1st variants, both the HKCU and HKLM Run keys were modified to add:
"auto_hloader_key" = C:\WINNT\SYSTEM32\HLOADER_EXE.EXE

I'm guessing the two discovered thus far today will have similar routines.

Regards,
-- Mary


----- Original Message ----- 
From: "Rob Thompson" <my.security.lists () gmail com>
To: <funsec () linuxbox org>
Sent: Wednesday, November 02, 2005 2:18 PM
Subject: [funsec] ? - I don't know where to send this one,so I'm sending it
here...


Howdy all...

I have a few customers of mine that are getting e-mails that are a little
off...

I don't really know where to start with this.  Basically, they are
getting e-mails to themselves from themselves at a different domain.

A file is attached (I am not including it in this e-mail but will send
it to those who request it should they so desire) in a zip named
"Info_prices.zip" within the zip is a file called "Text5546.exe".

I have Googled the file name for both the zip and executable and am
coming up with nothing.

OH - the subject line is just "FW:" it's a forwarded message that is blank.

I went to Symantec to try to submit a copy of the virus but apparently
I have to own a copy of their AV product and we don't use it here at
work.  Also, the vendor we do use is showing nothing in the a/v scan
AND they don't have a virus submit page either.

Anyone have any advice?  I fear that this may be something new, but
don't know how to confirm it.


--
Rob

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.