[Dshield] Beagle/Bagle outband trigger

Andy Cuff offthecuff at lineone.net
Mon Jan 19 11:37:01 GMT 2004


[X-Posted Dshield and Intrusions]

Hi,
Just wondering if anyone has a better trigger for the outband port 80
connection from a compromised host for the Beagle/Bagle worm, so that I can
write a greppy IDS signature.  All I have at present is that it looks for a
page called "/1.php" (courtesy RAV) over port 80.  Has anyone decompliled
the worm yet? does the 1.php increment at all ??  I want to cut down on the
obvious false positives.

"The virus listens on TCP port 6777 for remote connections.  It intends to
notify the author of an infected system that is awaiting commands, by
contacting various websites, calling a PHP script located on the remote
sites.  At the time of this writing the script in question does not exist on
any of these sites."
.
Sophos = Bagle
http://www.sophos.com/virusinfo/analyses/w32baglea.html
Symantec = Beagle
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html
Uniras
http://www.uniras.gov.uk/l1/l2/l3/alerts2004/alert-0203.txt
NAI
http://vil.nai.com/vil/content/v_100965.htm
F-Secure
http://www.f-secure.com/v-descs/bagle.shtml
RAV
http://www.ravantivirus.com/virus/showvirus.php?v=204

cheers
-andy
Talisker Security Tools Directory
http://www.securitywizardry.com




More information about the list mailing list