Kristian,
This is the bagle.j virus:
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
html
-Oorspronkelijk bericht-
Van: Kristian Hermansen [mailto:[EMAIL PROTECTED]
Gepost om: Tuesday, March 02, 2004 11:34 PM
Gepost naar: Full-Disclosure
Discussie:
Attached backdoor not recognized by Kaspersky or Norton 2004? I received
this file recently, but Kaspersky did not detect malicious code. Wondering
if any of you guys know about it or have analyzed it before? It is
definitely NOT a text document. I opened it up with WinHex and see the file
Another variant against the Netsky virus. It's is packed with
UPX. It spreads with the password protected zip file, which
gets bypassed through all most all the AV scanners with
latest signature updates because No AV can decrypt it
without the password. (though password is in the message
content),
VirusScreen ASaP detected virus in attachment sent to you by Kristian
Hermansen [EMAIL PROTECTED]. The file has been processed with
the following result:
TextDocument.zip:
W32/Bagle.gen!pwdzip(cleaned)
G.Paul Niranjan Babu
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Hi,
Attached backdoor not recognized by Kaspersky or Norton 2004?
That zip-archive went right through our TrendMicro Virusgateway (newest Pattern files:
797) :-( Seems like the scanner(s) have problems with password-secured zips, will
evaluate this later.
Unpacked exe is recognized correct
- Original Message -
From: Brad Griffin [EMAIL PROTECTED]
To: Gregh [EMAIL PROTECTED]; Dave Howe
[EMAIL PROTECTED]
Cc: Lan Guy [EMAIL PROTECTED]; Schmehl, Paul L [EMAIL PROTECTED]
Sent: Wednesday, March 03, 2004 9:52 AM
Subject: RE: [Full-Disclosure] Looking for a tool
Hi all
I was
It's a worm, detected by OfficeScan (patern 697) as bagle.J.
Regards. Yoran
| -Message d'origine-
| De : [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED] la part de Kristian
| Hermansen
| Envoye : mardi 2 mars 2004 23:34
| A : [EMAIL PROTECTED]
| Objet : [Full-Disclosure] Backdoor
Hello
Looks like W32.Bagle.J worm.
More information:
http://www.f-secure.com/v-descs/bagle_j.shtml
Br
Jyri
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kristian
Hermansen
Sent: 3. maaliskuuta 2004 0:34
To: [EMAIL PROTECTED]
Subject:
Attached backdoor not recognized by Kaspersky or Norton 2004? I received
this file recently, but Kaspersky did not detect malicious code. Wondering
It's yet another email-worm, probably some variation of BAGLE.
Regards,
--
Jarkko Turkulainen [EMAIL PROTECTED]
On Wed, Mar 03, 2004 at 01:54:50PM +1100, cissper wrote:
I am lost here! Almost every time when I perform a
nessus scan I get this odd vulnerability: loose source
routing identified.
I really dont know how that script works but I have
to analyse if this is a false positive or not. When I
It's yet another email-worm, probably some
variation of BAGLE.
The chap who reads this list from Pipemedia online might
want to check his machine for mailware, too.
--
Mortis
___
Full-Disclosure - We believe in it.
Charter:
Attached backdoor not recognized by Kaspersky or Norton 2004?
It's Bagle/Beagle.J. The problem is that the file is password-protected, so it's not
obvious how a scanner will get it until it's opened. Notice that the e-mail includes
the
password (65316). In fact Norton finds it when the ZIP is
Larry Seltzer wrote:
Attached backdoor not recognized by Kaspersky or Norton 2004?
It's Bagle/Beagle.J. The problem is that the file is password-protected, so it's not
obvious how a scanner will get it until it's opened. Notice that the e-mail includes the
password (65316). In fact Norton
Sounds like Bagle.J
http://vil.nai.com/vil/content/v_101071.htm
Regards,
Mary Landesman
Antivirus About.com Guide
http://antivirus.about.com
- Original Message -
From: Kristian Hermansen [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, March 02, 2004 5:34 PM
Subject:
a better solution is to have .zip whoeslae killed at hte firewall/a-v
gateway like i have setup here..then these pasword protected zip files
are not a concern..:)
Larry Seltzer wrote:
Attached backdoor not recognized by Kaspersky or Norton 2004?
It's Bagle/Beagle.J. The problem is that the
.
The problem is the antivirus installed in the perimeter, that does not
detect those samples. Exist some antivirus that detects the ZIP infected
without knowing the password:
Scan results
File: TextDocument.zip
Date: 03/03/2004 13:14:16
InoculateIT 4625/20040302 found nothing
NOD32 1.648/20040303
On Wednesday 03 March 2004 12:31, David Kammering wrote:
Hi,
Attached backdoor not recognized by Kaspersky or Norton 2004?
That zip-archive went right through our TrendMicro Virusgateway (newest
Pattern files: 797) :-( Seems like the scanner(s) have problems with
password-secured zips,
I agree that it might be Bagle.J, but F-Risk claims it's:
The unpacked file's size is over 49 kilobytes.
For me it was:
yfivyjmg.exe was UPXed and has:
MD5: b2e0559c9c3cea7bb7c37daec64e0f88
Size: 12288 Bytes
yfivyjmg.exe unpacked has:
MD5:
16 days after my post regarding the Firewall/VPN Appliance vuln
and 1 month more my TELEPHONE notice to Symantec support,
Symantec released a new version of firmware for their appliance.
But the problem it`s not the time.
The problem is that they told me it was not a vulnerability,
after 1 month
I am lost here! Almost every time when I perform a
nessus scan I get this odd vulnerability: loose source
routing identified.
I really dont know how that script works but I have
to analyse if this is a false positive or not. When I
perform a manual traceroute (UDP) to the destination
host, I do
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SCO Security Advisory
Subject:OpenLinux: screen buffer overflow
Advisory number:CSSA-2004-011.0
Issue date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SCO Security Advisory
Subject:OpenLinux: rsync heap based overflow
Advisory number:CSSA-2004-010.0
Issue date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SCO Security Advisory
Subject:OpenLinux: Tcpdump flaws in ISAKMP
Advisory number:CSSA-2004-008.0
Issue date:
On Tue, 2004-03-02 at 05:37, Phantasmal Phantasmagoria wrote:
- Final thoughts
It is difficult, if not impossible, to please every group of the security
community when releasing information pertaining to a vulnerability. Some
will say that I should of contacted the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SCO Security Advisory
Subject:OpenLinux: Gnupg (gpg) severe bug could compromise almost all
ElGamal keys
Advisory number:
S-Quadra Advisory #2004-03-03
Topic: Spider Sales shopping cart software multiple security vulnerabilities
Severity: High
Vendor URL: http://www.spidersales.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040303.txt
Release date: 03 Mar 2004
1. DESCRIPTION
Spider Sales
Suresh Ponnusami wrote:
Another variant against the Netsky virus. It's is packed with
UPX. It spreads with the password protected zip file, which
gets bypassed through all most all the AV scanners with
latest signature updates because No AV can decrypt it
without the password. (though password is
On Wed, Mar 03, 2004 at 01:44:00PM +0100, maarten wrote:
Well, what would you expect, that the virusgateway would brute-force crack the
zip password ? No. It has only two options:
A) Delete all password protected zipfiles regardless
or
B) Let any and all password protected zipfiles
Georgi Guninski security advisory #67, 2004
Buffer overflow in qmail-qmtpd, yet still qmail much better than windows
Systems affected:
tested on qmail 1.03 on linux
Risk: Low - not in default install and i can't exploit it
Date: 3 March 2004
Legal Notice:
This Advisory is Copyright (c)
i found this document about you
attachment: attachment.htm.pif
No, what I would expect is that it has the smarts (and it does, we are
doing it here with Trend) to look inside the Zip and stop any zip
containing any .scr/.exe/.com/.you-name-executable files. Check your Trend
(or whatever mail checker you are using) configs and set them
appropriately.
Does anyone else find this new development a bad idea?
I'm of the mindset that anti-virus companies should stick with what
they're good at -- namely, detecting and handling infected files. It
seems a bad idea to start down the natural language processing road.
Are they scanning just for
Another variant against the Netsky virus. It's is packed with
UPX. It spreads with the password protected zip file, which
gets bypassed through all most all the AV scanners with
latest signature updates because No AV can decrypt it
without the password. (though password is in the message
content),
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
William Anderson wrote:
| [...]
|
| You should download and install the required update for
| your product(s). The updates can be downloaded from the
| web links below, along with installation instructions and
| any further caveats or updates.
|
|
Cael...take a more sensible approach...no password parsing to scan
needed...have the AV/mail gateways stop any zip with any executable inside.
You don't need to use the password to see that there is an
.exe/.scr/.com/.whatever inside a zip. You see it, you nuke the zip. If
your policies
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
~ SmoothWall Limited Product Advisory SWL-2004:002
- -
~Summary: Updates for SmoothWall Corporate Server and
~
On Wed, Mar 03, 2004 at 16:25:20 +0200,
Georgi Guninski [EMAIL PROTECTED] wrote:
Georgi Guninski security advisory #67, 2004
Buffer overflow in qmail-qmtpd, yet still qmail much better than windows
Systems affected:
tested on qmail 1.03 on linux
Risk: Low - not in default install
sooo close, i reckon you shuold get some that prize fund for
finding it though ;)
regards,
deadbeat
On Wed, 3 Mar 2004, Georgi Guninski wrote:
--
[EMAIL PROTECTED] tmp]$ ./qma-qmtpd.pl
qmail-qmtpd buffer overflow. Copyright Georgi
I am a Sidewinder G2 user. In their latest upgrade they are going away
from an IPSEC based VPN client to SSL. If memory servers me there are
some exploitable issues in SSL. SecureComputing uses a proprietary OS
based on SecureOS based on OpenBSD. I am not sure what flavor of SSL
they use, but I am
Further to the emails about parsing archive passwords from email messages...
Regardless of how such parsing may take place, the stream of overflows in
archive tools means that an attacker could craft malicious archive files
that infect/backdoor the mail scanning system. Multiple emails could be
Sounds good
I like to do this with ssh vnc over linux
[rh8]$ssh -X [EMAIL PROTECTED]
[mn9]$vncserver :4
[mn9]$vncviewr localhost:4
Would there be any such suggestions for setting up VPN
with out without home firewall, ,assuming windows-windows? or
windows-linux, or linux-linux?/
The problem is the antivirus installed in the perimeter, that does not detect those
samples. Exist some antivirus that detects the ZIP infected without knowing the
password:
I'm sure more of these detect it by now. I suppose SOP for these scanners has been to
extract files from ZIPs and scan
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Suresh Ponnusami
Sent: Wednesday, March 03, 2004 5:16 AM
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Backdoor not recognized by Kaspersky
Another variant against the Netsky virus. It's is
Subj
attachment: cedcb.zip
Anti-virus has *always* been an arms race and the anti-virus companies
will never win. I wrote about this almost two years ago for
Securityfocus [1,2]. We need new/different technology that doesn't
depend upon knowledge of the malicious program to prevent it from
entering our networks.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cael Abal
Sent: Wednesday, March 03, 2004 8:57 AM
To: Gregor Lawatscheck
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Backdoor not recognized by Kaspersky
What about messages in languages
Bruno Wolff III writes:
RELAYCLIENT needs to be set by a trusted user in the first place, so if
you are getting bad values for RELAYCLIENT you have other problems.
That's not the problem. It's not the value of RELAYCLIENT, it's the
length of it. The problem is that len can get set to a very
At 10:53 AM 3/3/2004 -0600, Schmehl, Paul L wrote:
We need new/different technology that doesn't
depend upon knowledge of the malicious program to prevent it from
entering our networks. *Re*active technology will *always* fail
initially, and that means there will always be a door open for bad
I am no windoze kernel expert, but could your culprit be a kernel thread
of some sort?
windows kernel thread ? no, me thinks its a service
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
McAfee now detects the password protected zip files. (There are other
things you can look for besides trying to decrypt the contents of the
zip filel Also, zip passwords are weak and easily broken anyway.)
Zip files may be /relatively/ easy to
Russell Nelson [EMAIL PROTECTED] wrote:
The work-around is not to set RELAYCLIENT. Since it's extremely
unlikely that anybody is setting it in the first place, this bug
should have no operational consequences.
Well, I don't think it's that uncommon in general - Bruce's relay-ctrl
works by
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cael...take a more sensible approach...no password parsing to scan
needed...have the AV/mail gateways stop any zip with any executable
inside. You don't need to use the password to see that there is an
.exe/.scr/.com/.whatever inside a zip. You
Just out of curiosity, would it be ok to not
speculate? Speculation turns IR activities to crap
very, very quickly...
--- Aditya, ALD [Aditya Lalit Deshmukh]
[EMAIL PROTECTED] wrote:
I am no windoze kernel expert, but could your
culprit be a kernel thread
of some sort?
windows kernel
Cael Abal wrote:
Historically, passworded .zip files have been the only remotely
acceptable way to e-mail executables. I'm hesitant to give that up.
ACK. Some AV vendors even request samples of exectuables in passworded
zips.
I'd still rather allow all passworded .zips and rely on the client's
Possibly: This MAC Flooding is an ARP Cache Poisoning technique aimed at
network switches. When certain switches are overloaded they often drop
into a hub mode. In hub mode, the switch is too busy to enforce its
port security features and just broadcasts all network traffic to every
computer in
I feel the need to address the problem from an ISP perspective,
since the corporate and government and other institutional
persective seems to give different answers. And because the
ISP end user problem is still the majority of the reservoir
for viruses (and spam proxy/relay/trojans).
On Wed, 3
test
attachment: body.zip
'Password is a long yellow fruit enjoyed by monkeys.'
which ones ? there are many types of them around here
Leave passworded .zips alone -- take the sensible approach and catch an
infected file once it's been extracted.
that would be the best approach but it would make all the spam
We need new/different technology that doesn't depend upon
knowledge of the malicious program to prevent it from
entering our networks. *Re*active technology will *always*
I think you meant to say YOUR networks, right? The networks used by
antivirus firms don't get infected. Granted,
The zip's contents can
be seen without the password, just not unpacked...no cracking it required.
now winrar has a option to encrypt file names with a password, me thinks pkzip with
the 64 bit compression also has that feature... how are we going to deal with this ?
by stopping all the
On Mar 3, 2004, at 10:22 AM, Schmehl, Paul L wrote:
-Original Message-
From: [EMAIL PROTECTED]
Another variant against the Netsky virus. It's is packed with
UPX. It spreads with the password protected zip file, which
gets bypassed through all most all the AV scanners with
latest signature
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Rob Rosenberger
Sent: Wednesday, March 03, 2004 2:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Backdoor not recognized by Kaspersky
We need new/different technology that doesn't
Technology that would simply mark unknown code and prevent it from
accessing any but a minimal set of resources (and whose markings
normally were inherited by anything written to...this is the old
integrity model in many ways...) could largely eliminate problems.
The solidity of the underlying
I feel the need to address the problem from an ISP perspective, since the corporate
and government and other institutional persective seems to give different answers. And
because the ISP end user problem is still the majority of the reservoir for viruses
(and
spam proxy/relay/trojans).
I really
[SNIP]
how about the smtp server simply rejecting mail from spoofed hosts ? as all the
viruses generate spoofed hosts and it is very easy for any smtp server to do a dns
lookup on the sending server, if the hostname / ip address do not match reject the
message.
Finally some
if you can read the users login credentials to his corporate mailserver you are far
better off.
Rather casually put. How would you do this? I've heard how Swen asks the user for their
credentials, but if you know a general crack for obtaining them I'd say that's news.
Larry Seltzer
eWEEK.com
Larry Seltzer [EMAIL PROTECTED] wrote:
I really feel for you guys. As I've argued in another thread, I think
SMTP authentication will likely cut this stuff down to a trickle
compared to the current volume. As an ISP, how big a problem would you
have with that. An even better question: Would
Martin Ma ok [EMAIL PROTECTED] wrote:
C) try each word from the message as a password
D) OCR all attached images and go to (C) with the result
(I saw the smiley...)
And there are trivial responses to this that would be introduced into
the version after next of the virus (say, on Friday) if
On Wed, Mar 03, 2004 at 11:36:09PM +0530, Aditya, ALD [Aditya Lalit Deshmukh] wrote:
how about the smtp server simply rejecting mail from spoofed hosts
? as all the viruses generate spoofed hosts and it is very easy for
any smtp server to do a dns lookup on the sending server, if the
hostname
RE: Accepting mail from spoofed hosts
This is really a very simple idea, and a hundred people smarter than me
must have thought of it, but I have to wonder if yet another layer of
e-mail security might not be in order as well - don't all email systems
have a unique message ID on them? Sendmail
Aditya, ALD [Aditya Lalit Deshmukh] wrote:
snip
how about the smtp server simply rejecting mail from spoofed hosts ? as
all the viruses generate spoofed hosts and it is very easy for any smtp
server to do a dns lookup on the sending server, if the hostname / ip
address do not match reject the
Cael Abal [EMAIL PROTECTED] wrote:
snip easy tricks to bypass 'password in message body' scanning
... I can easily see
this becoming an arms-race, and one the anti-virus folks have no chance
of winning.
What do you mean becoming??
Known virus scanning is, by definition, an arms race which
On Wed, Mar 03, 2004 at 04:37:49PM -0500, Larry Seltzer wrote:
As I've argued in another thread, I think SMTP authentication will
likely cut this stuff down to a trickle compared to the current
volume.
The SPAM problem is not an authentication problem. Even if you could
authenticate the
NGSSoftware Insight Security Research Advisory
Name: Adobe Acrobat Reader XML Forms Data Format Buffer Overflow
Systems Affected: Adobe Acrobat Reader version 5.1
Severity: High Risk
Vendor URL: http://www.adobe.com/
Author: David Litchfield [ [EMAIL PROTECTED] ]
Date Vendor Notified:7th
Stef [EMAIL PROTECTED] wrote:
Someone on the ntbugtrack list mentioned earlier another possible
solution for A/V gateways: checking for the extension of
known-to-be-infected files, and appending the + sign at the end (e.g.
.exe+). I have tried this on my first layer Norton Gateway, as well
On Wed, Mar 03, 2004 at 04:45:57PM -0500, Lachniet, Mark wrote:
Of course on the down side, you'd have to use your email server, with
legit MX record as your smart host for all users (may be a hassle for
home offices and POP clients, maybe requiring outgoing SMTP auth, but
that's easy right?)
madsaxon [EMAIL PROTECTED] wrote:
As Rob Rosenberger has been preaching for years, the most sensible
solution to this problem lies in heuristics, not reactive tactics.
An ounce of prevention has always been worth a pound of cure.
I think heuristics are over-rated for such applications. To be
On Wed, 3 Mar 2004, Lachniet, Mark wrote:
don't all email systems have a unique message ID on them?
No.
Sendmail certainly does.
It will generate one, and add one if missing on reception.
--
Dave Horsfall DTM VK2KFU Loyal Unix user since 1975
Booted from Spamtools
On Wed, Mar 03, 2004 at 14:54:38 +1100,
omifix omnifix [EMAIL PROTECTED] wrote:
can anybody explain me what the problem is when my
external DNS server supports recursive DNS queries?
This allows simpler software and configuration so that there is less likely
to be a security problem.
People
-BEGIN PGP SIGNED MESSAGE-
SGI Security Advisory
Title : SGI Advanced Linux Environment security update #13
Number: 20040301-01-U
Date : March 3, 2004
Reference :
Schmehl, Paul L [EMAIL PROTECTED] wrote:
McAfee now detects the password protected zip files. (There are other
things you can look for besides trying to decrypt the contents of the
zip filel Also, zip passwords are weak and easily broken anyway.)
Though cracking is not, I believe, how it is
From: Larry Seltzer [mailto:[EMAIL PROTECTED]
if you can read the users login credentials to his corporate
mailserver you are far better off.
Rather casually put. How would you do this? I've heard how
Swen asks the user for their credentials, but if you know a
general crack for obtaining
Ron DuFresne [EMAIL PROTECTED] wrote:
how about the smtp server simply rejecting mail from spoofed hosts ?
as all the viruses generate spoofed hosts and it is very easy for any
smtp server to do a dns lookup on the sending server, if the hostname
/ ip address do not match reject the
Thor Larholm wrote:
SMTP authentication will not do much to stop viruses from spreading.
Some viruses are already moving away from just implementing their own
SMTP server to reusing whatever SMTP credentials you have on your
machine. Having your own SMTP engine is a nice fallback solution
rm -rf /
that should do it
Nick FitzGerald wrote:
Ron DuFresne [EMAIL PROTECTED] wrote:
how about the smtp server simply rejecting mail from spoofed hosts ?
as all the viruses generate spoofed hosts and it is very easy for any
smtp server to do a dns lookup on the sending server, if the
Larry Seltzer [EMAIL PROTECTED] asked 'Thor Larholm':
if you can read the users login credentials to his corporate
mailserver you are far
better off.
Rather casually put. How would you do this? I've heard how Swen asks the
user for their credentials, but if you know a general crack for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandrakelinux Security Update Advisory
___
Package name: pwlib
Advisory ID:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandrakelinux Security Update Advisory
___
Package name: libxml2
Advisory ID:
Hello,
I suggest that most of you should subscribe to the postfix mailing
list, it will provide you with a deep understanding of mail and
what problems people face and how to solve them.
For example if a mail server is sending you mail you should not be
comparing it with some host name.
Outlook 2003, Outlook Express 6. Mozilla mail etc. do recognize what host to
use for sending depending on what PoP server was used to read the mail. They
maintain accounts and any mail that comes in one account (its PoP3 server)
goes out that accounts corresponding SMP server. For example, this is
Michael Gale [EMAIL PROTECTED] wrote:
OK stuff snipped
Also do not except mail for users that do not exist ... I know that a
lot of Exchange servers and mis-configured front end mail servers accept
mail for anything at there domain and usually if the mail is junk or
from domains that do not
Nice find. Most people really shouldn¹t be using AFP. I know that Classic
MacOS machines store the passwords on disk using a simple XOR cipher. I
would assume that they also transmit the password using the same cipher.
SecureMac.com has a article on this if anyone is interested.
The ACLU (American
92 matches
Mail list logo