[Dshield] new version of "Bagel" virus

Johannes B. Ullrich jullrich at sans.org
Tue Feb 17 14:51:49 GMT 2004


Just got a couple copies of what looks like a new
version of 'bagel' I added a copy to my virus zoo
(bagel.x).

quick analysis: strings look similar to original bagel.
uses these URLs:
http://www.47df.de/wbboard/1.php
http://www.strato.de/1.php
http://intern.games-ring.de/1.php
http://www.strato.de/2.php

appends a query string that looks like

?p=%lu&id=%s

Email looks like 
                          Subject: 
ID sighmwmi... thanks

Yours ID dsyxgxixwb
--
Thank 


(Please hit any user clicking on random attachments
 real hard with a glue-by-4. Apply the ISC consensus
 AV policy: http://isc.sans.org/antivirus.pdf )




-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040217/2594b496/attachment.bin


More information about the list mailing list