[Dshield] Password protected Bagle-G
ldlist at westnet.com.au
Thu Mar 4 04:36:32 GMT 2004
I've investigated this virus a bit further, and have identified
differences in its appearance in comparison to normal zip and
encrypted zip files.
The Bagle-G sometimes sends itself as a password encrypted zip file,
base64 encoded for the email message. I did base64 encodings of some zip
files of random data of random sizes between 0-32768 bytes, both
encrypted and unencrypted, and looked at the first 30 bytes.
Unencrypted zip files look like this:
The first fourteen bytes are constant (probably the header).
Encrypted zips look like this
Again, the first fourteen bytes are constant but different to
The encrypted zip of the Bagle-G looks like this:
The first thirteen bytes look constant, but the ninth byte is different
from a normal encrypted zip. The virus is obviously doing its encryption
in a non-standard manner, which means we can differentiate it from
regular encrypted zip files. If we take the first thirteen bytes of the
Bagle, we come up with UEsDBAoAAQAAA as a unique signature.
If your MTA can block based on patterns in the message body, it should
be possible to block this one at the email gateway. I'm using postfix,
and it's done like this
body_checks = regexp:/etc/postfix/body_checks
This will put the email in the holding queue for manual inspection.
We've caught about 60 with this pattern in the past hour, and they all
appear to be Bagle-G but YMMV - there might be legitimate messages that
match this pattern, but I'm yet to see any.
Of course this doesn't solve the problem of any future viruses
encrypting themselves in a passworded zip, and we can't rely on them
behaving in this non-standard way, but it might be sufficient while a
better solution is developed.
More information about the list