[Dshield] Password protected Bagle.F

Micheal Patterson micheal at tsgincorporated.com
Mon Mar 1 20:12:26 GMT 2004

----- Original Message ----- 
From: "Jon R. Kibler" <Jon.Kibler at aset.com>
To: <list at dshield.org>
Sent: Monday, March 01, 2004 11:53 AM
Subject: [Dshield] Password protected Bagle.F

> According to a thread on the ClamAV users lists, Bagle.F is now
> spreading via password protected zip file. The text body of the
> email contains the password.

Lovely. Time again to lock down zip attachments to keep the masses from
cutting their own throats. BTW, Bagle.E. was introduced to the
FreeBSD-Questions list this morning.

> This appears to be the latest attempt to defeat AV scanners who
> cannot detect malware in zip files that they cannot unzip. The
> worm apparently changes the password on the fly, so that each
> file has a different password -- thus each zip file would have
> a different signature.

I would think that if the file can't be opened, it would be quarantined in
some fashion so as to not take the change on infection. But, that's just my
thought on it. Most, if not all, of us on this list look at things a bit
different than the average user does so the above may be perfectly sane
behavior for someone who's not interested in security, but to just "be on
the net" so to speak.

> Still... some idiot has to open the file, enter the password,
> ad nausem... but it still appears to sucker in enough folks
> that it is spreading rather rapidly. We have seen more Bagle.F
> files that we have blocked thus far this morning than we have
> all other worms combined. (We haven't seen any passworded zips
> yet -- and we would block them by means other than AV scans.)
> What next?
> JK
> --
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC  USA
> (843) 849-8214

What next? My worse case scenario is the day that someone, somewhere
breeches the software storage, undetected, of a major software vendor or
vendors, that specialize in compiler software for the masses. Inject a
trojan into the core compiler code, that in turn adds the same backdoor to e
verything that is touched by that compiler. People will tell everyone that
it's not possible, it's just too protected, ad nauseum. I will never believe
that anything that you can physically touch, or access through a networked
computer system can be that well protected. On that note, there is always
someone, somewhere, within the access chain has the ability to modify code,
and the knowledge to bury it so deep that others will not detect it. The
only real thing that has kept it from happening so far, imho, is the
personal integrity of the person with those abilities and privileges.


Micheal Patterson
TSG Network Administration

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original

More information about the list mailing list