[unisog] New Beagle/Bagle Variant Making The E-mail Rounds

Anderson Johnston andy at umbc.edu
Mon Aug 9 19:56:36 GMT 2004

McAfee has a description posted at:


They've upgraded the risk from Low to Medium within the last couple of

While they haven't released a DAT update, our systems people have updated
the anti-virus mail filter with a beta update.  Since the attachment is
small, the minimum size for messages to trigger scanning had to be
dropped as well.

McAfee reports that the virus opens listening ports on 2480/tcp and
2480/udp.  I'm using nmap to look for those ports in case something got

On Mon, 9 Aug 2004, Brian Eckman wrote:

> We started seeing a new variant of the Bagle (a.k.a. Beagle) line of
> E-mail worm at 11:30 CDT (GMT -0500). The infection rate worldwide has
> since increased significantly. AntiVirus vendors and the SANS Internet
> Storm Center have been sent copies. SANS has a preliminary writeup on
> their Web page at http://isc.sans.org/ that they have been updating.
> AV vendors are not detecting this new variant of Bagle yet. Apparently
> some vendors are detecting the malicious Javascript that is in the Zip
> file that runs the Bagle executable. This variant opens a backdoor on
> port 80/tcp.
> It creates several files, including:
> %WINDIR%\System32\windll.exe
> %WINDIR%\System32\_dll.exe
> %WINDIR%\System32\WINdirect.exe
> Several campuses have reported infections thus far.
> Brian
> --
> Brian Eckman
> Security Analyst
> OIT Security and Assurance
> University of Minnesota
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

** Andy Johnston (andy at umbc.edu)          *                                 **
**                                        * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **

More information about the unisog mailing list