[unisog] New Beagle/Bagle Variant Making The E-mail Rounds

Brian Eckman eckman at umn.edu
Mon Aug 9 19:33:51 GMT 2004


We started seeing a new variant of the Bagle (a.k.a. Beagle) line of
E-mail worm at 11:30 CDT (GMT -0500). The infection rate worldwide has 
since increased significantly. AntiVirus vendors and the SANS Internet 
Storm Center have been sent copies. SANS has a preliminary writeup on 
their Web page at http://isc.sans.org/ that they have been updating.

AV vendors are not detecting this new variant of Bagle yet. Apparently 
some vendors are detecting the malicious Javascript that is in the Zip 
file that runs the Bagle executable. This variant opens a backdoor on 
port 80/tcp.

It creates several files, including:

%WINDIR%\System32\windll.exe
%WINDIR%\System32\_dll.exe
%WINDIR%\System32\WINdirect.exe

Several campuses have reported infections thus far.

Brian

-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota




More information about the unisog mailing list