[Dshield] WORM_BAGLE.C alert

jayjwa jayjwa at atr2.ath.cx
Sat Feb 28 14:47:37 GMT 2004

> New Worm... Trend just released an updated pattern for it and rated it as

One came in late lastnight. F-prot dated the 27th didn't detect it, so I
started into the disassembly. It reminded me of NetSky alot, and I thought
it was a varient on that. It's UPX packed, mass-mailer, 3 URL's to German
sites (none of them had the referenced file) and 1 IP (Verizon)
referenced. A quick ASCII strings dump of the unpacked binary shows
clearly how the worm operates. After I finished, I checked again f-prot
updates, and this time it did detect it as Bagle.C. I've been updating
sig's nightly. Write yourself a little script to check and download sig's
and run it as a crond job- I've found that to be very effective. I fear
gone are the days of AV updates once a month or even once a week.

%jayjwa%  RLF#37    "Gnu for ALL. SCO Never."
xNewb: "Plz! I can't make GUI in my startx-
him say 'No Screens Found!' I use RedHat..
plz help Kind Sir what wrong my "Linux"?!

More information about the list mailing list