beware bagel

kamalho at kamalho at
Tue Jan 20 02:32:53 GMT 2004

taken from

Bagel AV Vendor Summary

Reports to the ISC indicate that AV gateways intercepting this worm and 
configured to "Autoreply" to the spoofed "From:" source are once again 
causing needless congestion (see SOBIG issues). Offenders should 
consider changing this configuration.

Three write-ups specify the worm's email will have an attachment 
"Length: 15,872 bytes" and one write-up says it is "an .exe file 
extension and consists of 3 - 11 randomly-generated lowercase characters."

After infection and initiation of it's email routine AV write-ups state 
that Bagel "will initialize and open a TCP socket in listening mode on 
port 6777."

The Trojan Retrieval Routine consists of:

"[HTTP connection]
GET /1.php?p=6777&id=[uid value, same value as used in the registry key]
User-Agent: beagle_beagle"

In AV Vendor write-ups so far the worm has hardcoded URLS which have not 
had 1.php available.

One Vendor (TrendMicro) cryptically reports "This worm may perform port 
scanning to connect to a remote system."

Systems Affected: 	Windows 2000, Windows 95, Windows 98, Windows Me, 
Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: 	DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, 
Windows 3.x

More information about the unisog mailing list