[unisog] New Beagle/Bagle Variant Making The E-mail Rounds

Brian Eckman eckman at umn.edu
Mon Aug 9 20:06:22 GMT 2004

Anderson Johnston wrote:

> McAfee has a description posted at:
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=127423
> They've upgraded the risk from Low to Medium within the last couple of
> hours.
> While they haven't released a DAT update, our systems people have updated
> the anti-virus mail filter with a beta update.  Since the attachment is
> small, the minimum size for messages to trigger scanning had to be
> dropped as well.
> McAfee reports that the virus opens listening ports on 2480/tcp and
> 2480/udp.  I'm using nmap to look for those ports in case something got
> through.

They must have updated their writeup. It now correctly shows port 80/tcp 
as the backdoor.


> On Mon, 9 Aug 2004, Brian Eckman wrote:
>>We started seeing a new variant of the Bagle (a.k.a. Beagle) line of
>>E-mail worm at 11:30 CDT (GMT -0500). The infection rate worldwide has
>>since increased significantly. AntiVirus vendors and the SANS Internet
>>Storm Center have been sent copies. SANS has a preliminary writeup on
>>their Web page at http://isc.sans.org/ that they have been updating.
>>AV vendors are not detecting this new variant of Bagle yet. Apparently
>>some vendors are detecting the malicious Javascript that is in the Zip
>>file that runs the Bagle executable. This variant opens a backdoor on
>>port 80/tcp.
>>It creates several files, including:
>>Several campuses have reported infections thus far.
>>Brian Eckman
>>Security Analyst
>>OIT Security and Assurance
>>University of Minnesota
>>unisog mailing list
>>unisog at lists.sans.org
> ------------------------------------------------------------------------------
> ** Andy Johnston (andy at umbc.edu)          *                                 **
> **                                        * PGP key:(afj2002) 4096/8448B056 **
> ** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
> ** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
> ------------------------------------------------------------------------------
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."

More information about the unisog mailing list