[Dshield] New Version of I-Worm Bagle.HX & HY

Ms. Judith Taylor jtaylor at acvna.org
Wed Nov 2 21:39:04 GMT 2005


Ms. Judith Taylor wrote:
> Hi,
> 
> One of my users managed to get two new variants of Bagel HX & HY. 

Updating what info I have...

Looks like this is a stubborn beast to get rid of - either that or I'm 
just not doing something right.

I have found that this variant disabled AVG services and deleted regedit.exe

When I ran the file through virustotal I received the following:

"text_sms.zip" file
Antivirus	Version	        Update	        Result
AntiVir	        6.32.0.6	11.02.2005	TR/Bagle.DP
Avast	        4.6.695.0	11.02.2005	Win32:Beagle-FQ
AVG	        718	        11.01.2005	no virus found
Avira	        6.32.0.6	11.02.2005	TR/Bagle.DP
BitDefender	7.2	        11.02.2005	
                                  Trojan.Downloader.Bagle.E.Dropper

CAT-QuickHeal	8.00	        11.02.2005	I-Worm.Bagle.ef
ClamAV	        devel-20050917	11.02.2005	Worm.Bagle.BY-2
DrWeb	        4.33	        11.02.2005	Win32.HLLM.Beagle.38912
eTrust-Iris	7.1.194.0	11.02.2005	
                                             Win32/Glieder.CA!ZIP!Trojan

eTrust-Vet	11.9.1.0	11.02.2005	Win32.Glieder.CA!ZIP
Fortinet	2.48.0.0	11.02.2005	W32/Mitglieder.FZ!tr
F-Prot          3.16c	        11.02.2005	security risk named
                                                    W32/Mitglieder.FZ
Ikarus	        0.2.59.0	11.02.2005	
                                               Email-Worm.Win32.Bagle.EF
Kaspersky	4.0.2.24	11.02.2005	
                                               Email-Worm.Win32.Bagle.ef

McAfee	        4618	        11.02.2005	W32/Bagle.dl
NOD32v2   	1.1273	        11.02.2005	Win32/Bagle.DC
Norman	        5.70.10	        11.02.2005	W32/Mitglied.NB
Panda	        8.02.00	        11.02.2005	Trj/Mitglieder.FK
Sophos	        3.99.0	        11.02.2005	Troj/BagleDl-W
Symantec	8.0	        11.02.2005	Trojan.Lodear
TheHacker	5.9.1.027	11.02.2005	W32/Bagle.GEN at MM
VBA32	        3.10.4	        11.02.2005	
                                        Trojan-Proxy.Win32.Mitglieder.dx

It seems that none of the AV companies can agree on which 
virus/dropper/loader this is.

I'm getting a bit frustrated (mostly with my own ignorance) with this. 
I've looked in the registry, after having to copy Regedit from another 
machine, and based on Peter Kruse's email deleted the two registry 
entries I found there. I've turned off System Restore for the time 
being. I ran Symantec's W32.Beagle at mm Removal Tool (to no avail).

After rebooting the computer, the AV is again disabled as is the ICS. 
Symantec's tool found nothing, and now I'm running Trend Micro's online 
virus scanner, which so far has found two files. So it's still there 
evenben though AVG reported back no virus found - and no further updates 
available.

In viewing my firewall log, I noticed that the infected computer was 
sending out traffic to a few places periodically. The user had closed ot 
all programs (email and browser) but left the computer on. The entries I 
found to be of particular interest are:

sarancha.ru(217.16.27.47):80
home.1000km.ru(195.2.72.17):80
www.stanislawkowalczyk.netstrefa.com(81.219.9.46):80
1st-new-orleans-hotels.com(66.165.84.175):80
www.ott-inside.de(212.227.127.220):80
lifejacks.de(212.227.109.195):80
25kadr.org(83.149.96.215):80
africa-tours.de(212.227.119.95):80
wunderlampe.com(80.67.17.49):80
www.domainfactory.de(62.67.200.4):80
charlies-truckerpage.de(80.67.17.23):80
template.nease.net(220.181.31.16):80
163.13.1.89:80
phrmg.org(207.176.130.254):80
www.etwas-mode.de(80.67.17.63):80
www.domainfactory.de(62.67.200.4):80
www.rewardst.com(218.85.134.214):80
757555.ru(217.112.42.90):80
www.8ingatlan.hu(195.228.155.39):80
oklens.co.jp(64.56.177.76):80
www.a2zhostings.com(66.235.184.81):80
www.abavitis.hu(217.113.62.25):80

Any help with this would be appreciated greatly.
-- 
Ms. Judith Taylor    ::: To reply remove the NO.SPAM. :::

Director of Information Systems
Appalachian Community Visiting Nurse Assoc.,
Hospice and Health Services, Inc. 740.594.8226  http://www.acvna.org


More information about the list mailing list