[Dshield] new version of "Bagel" virus

Samantha Fetter sama at snowplow.org
Tue Feb 17 15:06:26 GMT 2004


I just received an alert from Trend marking this as a Yellow Alert right
now.  Reports that this memory-resident worm propagates by mass-mailing
copies of itself using SMTP.

Reports that it runs on Win 95, 98, ME, NT, 2000 and XP.

Nice early heads up, Johannes!

More info at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.B

Cheers,
Samantha


On Tue, 17 Feb 2004, Johannes B. Ullrich wrote:

>
> Just got a couple copies of what looks like a new
> version of 'bagel' I added a copy to my virus zoo
> (bagel.x).
>
> quick analysis: strings look similar to original bagel.
> uses these URLs:
> http://www.47df.de/wbboard/1.php
> http://www.strato.de/1.php
> http://intern.games-ring.de/1.php
> http://www.strato.de/2.php
>
> appends a query string that looks like
>
> ?p=%lu&id=%s
>
> Email looks like
>                           Subject:
> ID sighmwmi... thanks
>
> Yours ID dsyxgxixwb
> --
> Thank
>
>
> (Please hit any user clicking on random attachments
>  real hard with a glue-by-4. Apply the ISC consensus
>  AV policy: http://isc.sans.org/antivirus.pdf )
>
>
>
>
> --
> CTO SANS Internet Storm Center               http://isc.sans.org
> phone: (617) 837 2807                          jullrich at sans.org
>
> contact details: http://johannes.homepc.org/contact.htm
>




More information about the list mailing list