[Dshield] Password protected Bagle.F

Jon R. Kibler Jon.Kibler at aset.com
Mon Mar 1 17:53:53 GMT 2004

According to a thread on the ClamAV users lists, Bagle.F is now 
spreading via password protected zip file. The text body of the
email contains the password.

This appears to be the latest attempt to defeat AV scanners who
cannot detect malware in zip files that they cannot unzip. The
worm apparently changes the password on the fly, so that each
file has a different password -- thus each zip file would have
a different signature.

Still... some idiot has to open the file, enter the password,
ad nausem... but it still appears to sucker in enough folks 
that it is spreading rather rapidly. We have seen more Bagle.F
files that we have blocked thus far this morning than we have
all other worms combined. (We haven't seen any passworded zips
yet -- and we would block them by means other than AV scans.)

What next?

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list