beware bagel

kamalho at pd.jaring.my kamalho at pd.jaring.my
Tue Jan 20 02:32:53 GMT 2004


taken from http://isc.sans.org


Bagel AV Vendor Summary

Reports to the ISC indicate that AV gateways intercepting this worm and 
configured to "Autoreply" to the spoofed "From:" source are once again 
causing needless congestion (see SOBIG issues). Offenders should 
consider changing this configuration.

Three write-ups specify the worm's email will have an attachment 
"Length: 15,872 bytes" and one write-up says it is "an .exe file 
extension and consists of 3 - 11 randomly-generated lowercase characters."

After infection and initiation of it's email routine AV write-ups state 
that Bagel "will initialize and open a TCP socket in listening mode on 
port 6777."

The Trojan Retrieval Routine consists of:

"[HTTP connection]
HTTP GET REQUEST
GET /1.php?p=6777&id=[uid value, same value as used in the registry key]
User-Agent: beagle_beagle"

In AV Vendor write-ups so far the worm has hardcoded URLS which have not 
had 1.php available.

One Vendor (TrendMicro) cryptically reports "This worm may perform port 
scanning to connect to a remote system."

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html
http://vil.nai.com/vil/content/v_100965.htm
http://www3.ca.com/virusinfo/virus.aspx?ID=38019
http://www.sophos.com/virusinfo/analyses/w32baglea.html
http://www.f-prot.com/virusinfo/descriptions/bagle_a.html
http://www.messagelabs.com/viruseye/threats/list/default.asp
http://wtc.trendmicro.com/wtc/summary.asp


Systems Affected: 	Windows 2000, Windows 95, Windows 98, Windows Me, 
Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: 	DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, 
Windows 3.x







More information about the unisog mailing list