New Bagle Making the Rounds?

Published: 2005-09-19
Last Updated: 2005-09-19 16:13:56 UTC
by Tom Liston (Version: 9)
0 comment(s)
It looks like there is a new Bagle variant making the rounds.  The (preliminary) information that we have is:
  • The file arrives as a zipped attachment with a filename including the word "price" (price.zip, price2.zip newprice.zip, 09_price.zip, etc...).
  • Creates two files: C:\WINDOWS\system32\winshost.exe and C:\WINDOWS\system32\wiwshost.exe
  • Launches winshost.exe from the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key
  • This has been classified (by at least one AV vendor) as:  TROJ/BAGLEDL-U
While you're waiting for your AV signatures to catch up, you might want to try the following snort sig submitted by ISC reader Mark T (Thank you, Mark!):
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"VIRUS Bagle.CJ SMTP Inbound"; \
flow:to_server,established; content:"UEsDBBQAAAA"; content:"EEkIAAAG"; \
distance:12; within:20; reference:url,isc.sans.org/diary.php?date=2005-09-19; \
classtype: trojan-activity; sid: 15239638; rev:1;)

An alternate snort rule (provided by the folks at Bleeding Edge):

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Possible \
Bagle.AQ Worm Outbound"; flow: to_server,established; content:"filename="; \
nocase; pcre:"m/(price2|new_price|08_price|09_price|newprice|new_price|price_new|\
price|price_08).zip/"; classtype: trojan-activity; reference:url,\
securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html; \
sid: 2001065; rev:6; )
Keywords:
0 comment(s)

Comments


Diary Archives