New Bagle "AI" Trojan/Downloader - MEDIUM RISK

Discussion in 'malware problems & news' started by the mul, Sep 1, 2004.

Thread Status:
Not open for further replies.
  1. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,704
    Location:
    scotland
    Every AV vendor has a unique name for this new version of Bagle that was mass mailed extensively overnight. Secunia uses "AI" and they have issued a MEDIUM RISK alert for this virus at 2004-09-01 02:40. McAfee calls this new variant Bagle.dll.dr and Symantec has named it Beagle.AQ.

    New Bagle "AI" Trojan/Downloader - MEDIUM RISK (Secunia)
    http://secunia.com/virus_information/11645/
    http://vil.nai.com/vil/content/v_127119.htm
    http://www.trendmicro.com/vinfo/virusencyc...e=WORM_BAGLE.AI
    http://www.f-secure.com/v-descs/bagle_ak.shtml
    http://www.symantec.com/avcenter/venc/data...agle.aq@mm.html
    http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=40053
    http://www.sophos.com/virusinfo/analyses/trojbagledla.html

    This new variant is a trojan that downloads and executes arbitrary files from a long hardcoded list of 131 URLs. In the wild, we have seen other variants of this trojan download Win32.Bagle variants and other files. It has been distributed as a 12,800-byte Win32 executable. This variant has been mass-mailed on a large scale by what appears to be Win32.Bagle.AI.

    The origin was an e-mail message that was spammed to numerous people. The e-mail contains an archive named FOTO.ZIP. Inside there's an HTML file and an EXE file named FOTO.EXE. This EXE file is a dropper. It drops and activates a DLL component that kills processes belonging to updating components of several anti-virus programs and then tries to connect to several websites and download a file from them. The URLs are hardcoded in the program's body.

    EMAIL MESSAGE FORMAT


    QUOTE
    Subject: foto
    Body: foto
    Attachment: foto.zip or foto1.zip ( containing foto.html and foto1.exe)


    THE MUL
     
    the mul, Sep 1, 2004
    #1
  2. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,704
    Location:
    scotland
    Notice
    This is a Low-Profiled Threat Notice Update for W32/Bagle.dll.dr and JS/IllWill

    Justification
    W32/Bagle.dll.dr and JS/IllWill have been updated from Low to Low-Profiled due to Media Attention at http://searchsecurity.techtarget.com/origi...1003551,00.html. W32/Bagle.dll.dr and JS/IllWill are referred to as Bagle-AQ within the article.

    Read About It
    Information about W32/Bagle.dll.dr is located on VIL at: http://vil.nai.com/vil/content/v_127119.htm
    Information about JS/IllWill is located on VIL at: http://vil-origin.nai.com/vil/content/v_99242.htm

    Detection
    The W32/Bagle.dll.dr portion of the threat is proactively detected with 4385 dat files (Release Date: 08/11/2004) and higher. The JS/IllWill portion of the threat is proactively detected with the 4260 dat files (Release Date: 04/30/2003) and higher.

    To stay updated and protected download the latest dat files from http://www.mcafeesecurity.com/us/downloads/default.asp

    If you suspect you have W32/Bagle.dll.dr or JS/IllWill, please submit a sample to http://www.webimmune.net.

    Risk Assessment Definition
    For further information on the Risk Assessment and AVERT Recommended Actions please see:
    http://www.mcafeesecurity.com/us/security/..._assessment.htm

    Best Regards,

    McAfee AVERT - Anti Virus and Vulnerability Research, Analysis, and
    Solutions visit us at www.avertlabs.com
     
    the mul, Sep 2, 2004
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...