New Bagle "AI" Trojan/Downloader - MEDIUM RISK

Discussion in 'malware problems & news' started by the mul, Sep 1, 2004.

Thread Status:
Not open for further replies.
  1. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    Every AV vendor has a unique name for this new version of Bagle that was mass mailed extensively overnight. Secunia uses "AI" and they have issued a MEDIUM RISK alert for this virus at 2004-09-01 02:40. McAfee calls this new variant Bagle.dll.dr and Symantec has named it Beagle.AQ.

    New Bagle "AI" Trojan/Downloader - MEDIUM RISK (Secunia)
    http://secunia.com/virus_information/11645/
    http://vil.nai.com/vil/content/v_127119.htm
    http://www.trendmicro.com/vinfo/virusencyc...e=WORM_BAGLE.AI
    http://www.f-secure.com/v-descs/bagle_ak.shtml
    http://www.symantec.com/avcenter/venc/data...agle.aq@mm.html
    http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=40053
    http://www.sophos.com/virusinfo/analyses/trojbagledla.html

    This new variant is a trojan that downloads and executes arbitrary files from a long hardcoded list of 131 URLs. In the wild, we have seen other variants of this trojan download Win32.Bagle variants and other files. It has been distributed as a 12,800-byte Win32 executable. This variant has been mass-mailed on a large scale by what appears to be Win32.Bagle.AI.

    The origin was an e-mail message that was spammed to numerous people. The e-mail contains an archive named FOTO.ZIP. Inside there's an HTML file and an EXE file named FOTO.EXE. This EXE file is a dropper. It drops and activates a DLL component that kills processes belonging to updating components of several anti-virus programs and then tries to connect to several websites and download a file from them. The URLs are hardcoded in the program's body.

    EMAIL MESSAGE FORMAT


    QUOTE
    Subject: foto
    Body: foto
    Attachment: foto.zip or foto1.zip ( containing foto.html and foto1.exe)


    THE MUL
     
  2. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    Notice
    This is a Low-Profiled Threat Notice Update for W32/Bagle.dll.dr and JS/IllWill

    Justification
    W32/Bagle.dll.dr and JS/IllWill have been updated from Low to Low-Profiled due to Media Attention at http://searchsecurity.techtarget.com/origi...1003551,00.html. W32/Bagle.dll.dr and JS/IllWill are referred to as Bagle-AQ within the article.

    Read About It
    Information about W32/Bagle.dll.dr is located on VIL at: http://vil.nai.com/vil/content/v_127119.htm
    Information about JS/IllWill is located on VIL at: http://vil-origin.nai.com/vil/content/v_99242.htm

    Detection
    The W32/Bagle.dll.dr portion of the threat is proactively detected with 4385 dat files (Release Date: 08/11/2004) and higher. The JS/IllWill portion of the threat is proactively detected with the 4260 dat files (Release Date: 04/30/2003) and higher.

    To stay updated and protected download the latest dat files from http://www.mcafeesecurity.com/us/downloads/default.asp

    If you suspect you have W32/Bagle.dll.dr or JS/IllWill, please submit a sample to http://www.webimmune.net.

    Risk Assessment Definition
    For further information on the Risk Assessment and AVERT Recommended Actions please see:
    http://www.mcafeesecurity.com/us/security/..._assessment.htm

    Best Regards,

    McAfee AVERT - Anti Virus and Vulnerability Research, Analysis, and
    Solutions visit us at www.avertlabs.com
     
Loading...
Thread Status:
Not open for further replies.