RE: [Declude.Virus] FYI - new virus as yet unidentified

2005-06-27 Thread Markus Gufler 



can't see anyfile "kitten.zip" in the past 8 
hours...

Markus


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Darin 
  CoxSent: Sunday, June 26, 2005 8:33 PMTo: 
  Declude.Virus@declude.comSubject: [Declude.Virus] FYI - new virus 
  as yet unidentified
  
  Don't know what it is yet, but the attached file 
  was named kitten.zipcontainingan 
  unencryptedEXE.
  Darin.

RE: [Declude.Virus] FYI - new virus as yet unidentified

2005-06-27 Thread Colbeck, Andrew 
Title: Message



12 
hours after Darin's post, I see that the ISC Storm Center has seen 
it.

http://isc.sans.org/diary.php?date=2005-06-25


"New Bagle VariantWe're receiving early reports of a new Bagle 
variant making the rounds. At the time of writing, many Antivirus products are 
not detecting this most recent mutation of the mass mailer. Identifying 
characteristics include a reference to SMS in the subject line, and ZIP 
attachments with various names containing an EXE named f22-013.exe with an md5 
checksum of 3f123980866092fedd6bc75e9b273087. Our thanks go out to the numerous 
ISC readers who alerted us to this."

I 
hunted around our undeliverables and found more than one copy. Each had 
"SMS" in the subject, e.g. "Is sent SMS" and "The picture is sent on 
SMS".

Trend 
Micro detects the executable as Bagle.BB but everyone else who detects it calls 
it Bagle.BQ or Bagle.Gen (generic). McAfee and Symantec are not detecting 
it. ClamAV does. F-Prot calls it an errorlevel = 8 security risk 
called "W32/_newstuff.2".

Each 
message was 32 KB.

I hope 
that helps,

Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Darin CoxSent: Sunday, June 26, 2005 11:33 
  AMTo: Declude.Virus@declude.comSubject: [Declude.Virus] 
  FYI - new virus as yet unidentified
  Don't know what it is yet, but the attached file 
  was named kitten.zipcontainingan 
  unencryptedEXE.
  Darin.

RE: [Declude.Virus] FYI - new virus as yet unidentified

2005-06-27 Thread Markus Gufler 
Title: Message



Thanks for the info's
I've seen some of this "SMS" subject lines in the virus log 
(while searching for kitten.zip)

06/26/2005 22:37:03 Q11e3167a00d2c413 Scanner 2: 
Virus=W32/Bagle.dldr Attachment= [42] I06/26/2005 22:37:22 Q1200168000d2c41c 
Scanned: Virus Free [Prescan OK][MIME: 3 19716]06/26/2005 22:37:24 
Q11e3167a00d2c413 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 2 
21646]06/26/2005 22:37:24 Q11e3167a00d2c413 From: [Forged] To:[Hidden] 
[incoming from 71.97.144.45]06/26/2005 22:37:24 Q11e3167a00d2c413 Subject: 
Is sent SMS

This 
was yesterday evening (06/26/2005 22:37:24 GMT+1) 
Scanner 2 is Mcafee and following the logfiles it's 
called "Bagle.dldr"
Scanner 1 (F-Prot) has catched it 2 hours later with 
errorlevel 8.

Markus



  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, 
  AndrewSent: Monday, June 27, 2005 8:14 AMTo: 
  Declude.Virus@declude.comSubject: RE: [Declude.Virus] FYI - new 
  virus as yet unidentified
  
  12 
  hours after Darin's post, I see that the ISC Storm Center has seen 
  it.
  
  http://isc.sans.org/diary.php?date=2005-06-25
  
  
  "New Bagle VariantWe're receiving early reports of a new Bagle 
  variant making the rounds. At the time of writing, many Antivirus products are 
  not detecting this most recent mutation of the mass mailer. Identifying 
  characteristics include a reference to SMS in the subject line, and ZIP 
  attachments with various names containing an EXE named f22-013.exe with an md5 
  checksum of 3f123980866092fedd6bc75e9b273087. Our thanks go out to the 
  numerous ISC readers who alerted us to this."
  
  I 
  hunted around our undeliverables and found more than one copy. Each had 
  "SMS" in the subject, e.g. "Is sent SMS" and "The picture is sent on 
  SMS".
  
  Trend Micro detects the executable as Bagle.BB but everyone else who 
  detects it calls it Bagle.BQ or Bagle.Gen (generic). McAfee and Symantec 
  are not detecting it. ClamAV does. F-Prot calls it an errorlevel = 
  8 security risk called "W32/_newstuff.2".
  
  Each 
  message was 32 KB.
  
  I 
  hope that helps,
  
  Andrew 8)
  

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Darin CoxSent: Sunday, June 26, 2005 11:33 
    AMTo: Declude.Virus@declude.comSubject: 
[Declude.Virus] FYI - new virus as yet unidentified
Don't know what it is yet, but the attached 
file was named kitten.zipcontainingan 
unencryptedEXE.
Darin.

[Declude.Virus] FYI - new virus as yet unidentified

2005-06-26 Thread Darin Cox 



Don't know what it is yet, but the attached file 
was named kitten.zipcontainingan 
unencryptedEXE.
Darin.