Title: Message
Thanks for the info's
I've seen some of this "SMS" subject lines in the virus log
(while searching for kitten.zip)
06/26/2005 22:37:03 Q11e3167a00d2c413 Scanner 2:
Virus=W32/Bagle.dldr Attachment= [42] I06/26/2005 22:37:22 Q1200168000d2c41c
Scanned: Virus Free [Prescan OK][MIME: 3 19716]06/26/2005 22:37:24
Q11e3167a00d2c413 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 2
21646]06/26/2005 22:37:24 Q11e3167a00d2c413 From: [Forged] To:[Hidden]
[incoming from 71.97.144.45]06/26/2005 22:37:24 Q11e3167a00d2c413 Subject:
Is sent SMS
This
was yesterday evening (06/26/2005 22:37:24 GMT+1)
Scanner 2 is Mcafee and following the logfiles it's
called "Bagle.dldr"
Scanner 1 (F-Prot) has catched it 2 hours later with
errorlevel 8.
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
AndrewSent: Monday, June 27, 2005 8:14 AMTo:
Declude.Virus@declude.comSubject: RE: [Declude.Virus] FYI - new
virus as yet unidentified
12
hours after Darin's post, I see that the ISC Storm Center has seen
it.
http://isc.sans.org/diary.php?date=2005-06-25
"New Bagle VariantWe're receiving early reports of a new Bagle
variant making the rounds. At the time of writing, many Antivirus products are
not detecting this most recent mutation of the mass mailer. Identifying
characteristics include a reference to SMS in the subject line, and ZIP
attachments with various names containing an EXE named f22-013.exe with an md5
checksum of 3f123980866092fedd6bc75e9b273087. Our thanks go out to the
numerous ISC readers who alerted us to this."
I
hunted around our undeliverables and found more than one copy. Each had
"SMS" in the subject, e.g. "Is sent SMS" and "The picture is sent on
SMS".
Trend Micro detects the executable as Bagle.BB but everyone else who
detects it calls it Bagle.BQ or Bagle.Gen (generic). McAfee and Symantec
are not detecting it. ClamAV does. F-Prot calls it an errorlevel =
8 security risk called "W32/_newstuff.2".
Each
message was 32 KB.
I
hope that helps,
Andrew 8)
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Darin CoxSent: Sunday, June 26, 2005 11:33
AMTo: Declude.Virus@declude.comSubject:
[Declude.Virus] FYI - new virus as yet unidentified
Don't know what it is yet, but the attached
file was named kitten.zipcontainingan
unencryptedEXE.
Darin.