New Bagle Variant Spreading

Published: 2004-08-09
Last Updated: 2004-08-10 00:53:06 UTC
by Jason Lam (Version: 1)
0 comment(s)
New Bagle Variant Spreading

There is a new Bagle mass-mailing virus variant on the loose.

Attachment may contain one of the following file names,

price.zip

price2.zip

price_new.zip

price_08.zip

08_price.zip

newprice.zip

new_price.zip

new__price.zip

According to handler Tom Liston, the virus installs itself as C:\WINDOWS\System32\WINdirect.exe and runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe

Mitigation

The virus download part of itself from a list of known websites. Blocking the following site at your perimeter can mitigate the risk of this virus



http://polobeer.de/2.jpg
http://www.no-abi2003.de/2.jpg



AV vendors have created signatures for this Bagle variant.

Mcafee: Bagle.aq

Trendmicro: Bagle.ac

Symantec: Bagle.ao


Snort signature for this virus is also available on Bleeding Snort (submitted by Matt Jonkman). http://www.bleedingsnort.com

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; reference:url,http.isc.sans.org/diary.php?date=2004-08-09; content:"GET /2.jpg"; sid:2001061; rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Checking In"; reference:url,vil.nai.com/vil/content/v_127423.htm; uricontent:"/spyware.php"; sid:2001064; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Bagle.AQ Worm Outbound"; content:"filename="; pcre:"m/(price2|new_price|08_price|newprice|new_price|price_new|price|price_08).zip/"; nocase; sid:2001065; rev:1;)
Microsoft Windows XP SP2 is out!

Microsoft has release Service Pack 2 for Windows XP. It not only is a cumculative patch for XP, but also add additional functionalities to Windows XP, this include many security features (such as firewall, IE security)

For the new features:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx

Information on SP2:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx
AOL Instant Messenger URI Handler Buffer Overflow

A vulnerability exists in AIM, it is caused by a stack based buffer overflow in the handling of "away" messages. Successful exploitation allows malicious code to be run on the user's system.

The vulnerability has been confirmed in version 5.5.3595. Other versions may also be affected. Mitigation includes upgrading to the latest beta version of AIM software or to use the workaround posted on www.aim.com

References:

http://secunia.com/advisories/12198/

http://www.aim.com/help_faq/security/faq.adp?aolp=
------------

Jason Lam, jason /at/ networksec.org

Keywords:
0 comment(s)

Comments


Diary Archives