[Dshield] Password protected Bagle.F

Jon R. Kibler Jon.Kibler at aset.com
Mon Mar 1 17:53:53 GMT 2004


According to a thread on the ClamAV users lists, Bagle.F is now 
spreading via password protected zip file. The text body of the
email contains the password.

This appears to be the latest attempt to defeat AV scanners who
cannot detect malware in zip files that they cannot unzip. The
worm apparently changes the password on the fly, so that each
file has a different password -- thus each zip file would have
a different signature.

Still... some idiot has to open the file, enter the password,
ad nausem... but it still appears to sucker in enough folks 
that it is spreading rather rapidly. We have seen more Bagle.F
files that we have blocked thus far this morning than we have
all other worms combined. (We haven't seen any passworded zips
yet -- and we would block them by means other than AV scans.)

What next?

JK
--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list