RE: [Declude.Virus] FYI - new virus as yet unidentified

[Markus Gufler]

Title: Message

Thanks for the info's I've seen some of this "SMS" subject lines in the virus log (while searching for kitten.zip)   06/26/2005 22:37:03 Q11e3167a00d2c413 Scanner 2: Virus=W32/Bagle.dldr Attachment= [42] I 06/26/2005 22:37:22 Q1200168000d2c41c Scanned: Virus Free [Prescan OK][MIME: 3 19716] 06/26/2005 22:37:24 Q11e3167a00d2c413 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 2 21646] 06/26/2005 22:37:24 Q11e3167a00d2c413 From: [Forged] To: [Hidden] [incoming from 71.97.144.45] 06/26/2005 22:37:24 Q11e3167a00d2c413 Subject: Is sent SMS   This was yesterday evening (06/26/2005 22:37:24 GMT+1) Scanner 2 is Mcafee and following the logfiles it's called "Bagle.dldr" Scanner 1 (F-Prot) has catched it 2 hours later with errorlevel 8.   Markus   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, June 27, 2005 8:14 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] FYI - new virus as yet unidentified 12 hours after Darin's post, I see that the ISC Storm Center has seen it.   http://isc.sans.org/diary.php?date=2005-06-25   "New Bagle Variant We're receiving early reports of a new Bagle variant making the rounds. At the time of writing, many Antivirus products are not detecting this most recent mutation of the mass mailer. Identifying characteristics include a reference to SMS in the subject line, and ZIP attachments with various names containing an EXE named f22-013.exe with an md5 checksum of 3f123980866092fedd6bc75e9b273087. Our thanks go out to the numerous ISC readers who alerted us to this. "   I hunted around our undeliverables and found more than one copy.  Each had "SMS" in the subject, e.g. "Is sent SMS" and "The picture is sent on SMS".   Trend Micro detects the executable as Bagle.BB but everyone else who detects it calls it Bagle.BQ or Bagle.Gen (generic).  McAfee and Symantec are not detecting it.  ClamAV does.  F-Prot calls it an errorlevel = 8 security risk called "W32/_newstuff.2".   Each message was 32 KB.   I hope that helps,   Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Sunday, June 26, 2005 11:33 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] FYI - new virus as yet unidentified Don't know what it is yet, but the attached file was named kitten.zip containing an unencrypted EXE. Darin.