[unisog] New Beagle/Bagle Variant Making The E-mail Rounds

Brian Eckman eckman at umn.edu
Mon Aug 9 20:06:22 GMT 2004


Anderson Johnston wrote:

> McAfee has a description posted at:
> 
> 
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=127423
> 
> 
> They've upgraded the risk from Low to Medium within the last couple of
> hours.
> 
> While they haven't released a DAT update, our systems people have updated
> the anti-virus mail filter with a beta update.  Since the attachment is
> small, the minimum size for messages to trigger scanning had to be
> dropped as well.
> 
> McAfee reports that the virus opens listening ports on 2480/tcp and
> 2480/udp.  I'm using nmap to look for those ports in case something got
> through.

They must have updated their writeup. It now correctly shows port 80/tcp 
as the backdoor.

Brian

> 
> On Mon, 9 Aug 2004, Brian Eckman wrote:
> 
> 
>>We started seeing a new variant of the Bagle (a.k.a. Beagle) line of
>>E-mail worm at 11:30 CDT (GMT -0500). The infection rate worldwide has
>>since increased significantly. AntiVirus vendors and the SANS Internet
>>Storm Center have been sent copies. SANS has a preliminary writeup on
>>their Web page at http://isc.sans.org/ that they have been updating.
>>
>>AV vendors are not detecting this new variant of Bagle yet. Apparently
>>some vendors are detecting the malicious Javascript that is in the Zip
>>file that runs the Bagle executable. This variant opens a backdoor on
>>port 80/tcp.
>>
>>It creates several files, including:
>>
>>%WINDIR%\System32\windll.exe
>>%WINDIR%\System32\_dll.exe
>>%WINDIR%\System32\WINdirect.exe
>>
>>Several campuses have reported infections thus far.
>>
>>Brian
>>
>>--
>>Brian Eckman
>>Security Analyst
>>OIT Security and Assurance
>>University of Minnesota
>>
>>_______________________________________________
>>unisog mailing list
>>unisog at lists.sans.org
>>http://www.dshield.org/mailman/listinfo/unisog
>>
> 
> 
> ------------------------------------------------------------------------------
> ** Andy Johnston (andy at umbc.edu)          *                                 **
> **                                        * PGP key:(afj2002) 4096/8448B056 **
> ** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
> ** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
> ------------------------------------------------------------------------------
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog


-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."



More information about the unisog mailing list