Jump to content


Photo

Bagle.AI Alert


  • Please log in to reply
9 replies to this topic

#1 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 713 posts

Posted 19 July 2004 - 01:48 PM

http://www.viruslist...html?id=1887620

Gee, brand new and already it has been sent to me. :cool:
As of this writing, McAfee and Symantec do not detect it. Kaspersky's online scanner does detect it.
Edit: McAfee and Symantec have an update that will detect it now.

:p I just noticed my bad spelling in the topic title. :lol: :whistle:

Edited by Trilobite, 20 July 2004 - 04:02 PM.

ASAP Member since 2006

"Knowledge does not equal wisdom"
Guide to posting HijackThis logs to this forum


#2 rosso_acido

rosso_acido

    Earl of Mysterious Briefcases

  • Full Member
  • PipPipPipPip
  • 286 posts

Posted 20 July 2004 - 03:00 AM

I got a couple e-mails with this one too this morning. :gack:

There's not much info about it on the Internet yet, but Stinger also detects it as of July 19. :)

R. :techsupport:
I am the iron anchor.

#3 ErikAlbert

ErikAlbert

    Typical User

  • Full Member
  • PipPipPipPipPip
  • 787 posts

Posted 20 July 2004 - 12:21 PM

Well it's a smart move to try eliminate the Helpers first. :D
ErikAlbert
Simplicity is always brilliant.

#4 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 713 posts

Posted 20 July 2004 - 01:30 PM

Is that a crack about my spelling? :p :lol:

I'm kind of glad it was sent to me. It's another worm for me to test AV sofware with. :bounce:

I attempted to download it again today and the good news is that the AV scanner on yahoo.com email detects it and will not allow it to be downloaded.

ASAP Member since 2006

"Knowledge does not equal wisdom"
Guide to posting HijackThis logs to this forum


#5 WaveThemes

WaveThemes

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 July 2004 - 02:54 PM

About 5:30 am est this morning I found this:

http://vil.nai.com/v...nt/v_126798.htm

McAfee released a new stinger and dat file set over this one!

#6 H@ns

H@ns

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 2,630 posts

Posted 20 July 2004 - 02:56 PM

Hi WaveThemes,

That was allready known here:

http://www.spywarein...showtopic=16603

:D
Nucia Security Forums - Dutch Anti-Malware Support

#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 20 July 2004 - 03:22 PM

FYI...

New Bagle Spreads Fast By Shutting Down Defenses
- http://www.techweb.c...WB20040720S0007
July 20, 2004
"The latest Bagle three-worm wave includes one that's using a more aggressive twist on an old tactic, said security firms Tuesday. Of the trio of Bagle variants that have hit the Internet since Saturday -- that day's Bagle.ag, Sunday's Bagle.ah. and Monday's Bagle.ai...Bagle.ai -- with the parade of Bagle variants, it's no surprise that not all vendors are in sync with the name; Panda, for instance, dubbed it Bagle.ah -- is very similar to earlier iterations. It's a mass mailing worm that spreads by hijacking addresses on infected machines or through shared folders; packages its payload as a file attachment, including .zip compressed files; and attempts to contact a slew of German Web sites, probably to alert the hacker of compromised systems so they can be used later as spam proxies or to conduct denial-of-service (DoS) attacks.
Hinojosa notes one important difference that he thinks is behind Bagle.ai..."It comes in and takes out a whole list of anti-virus and firewall processes," he said. "This list is larger than earlier [lists], and is so big I can't even count them. Someone really took their time to build this." The list -- 288 by Symantec's count -- is used by Bagle.ai to terminate memory-resident and active anti-virus and firewall software in an attempt to slip through a computer's defenses. "It goes around [defenses] by deleting the processes," said Hinojosa. "That's not good."..."


>>> If you haven't already done so, -now- would be a good time to update your AV.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#8 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 713 posts

Posted 20 July 2004 - 03:56 PM

Looks like a nasty little one.

not all vendors are in sync with the name; Panda, for instance, dubbed it Bagle.ah

I noticed that too. A scan of an infected file reveals these results:
Kaspersky id's it as Bagle.ai
Symantec's norton id's it as Bagle.ag
McAfee's Stinger id's it as Bagle.ai

I haven't updated and scanned it with the other AV's yet.



If you haven't already done so, -now- would be a good time to update your AV.

Edited by Trilobite, 20 July 2004 - 03:58 PM.

ASAP Member since 2006

"Knowledge does not equal wisdom"
Guide to posting HijackThis logs to this forum


#9 auctionhugh

auctionhugh

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 21 July 2004 - 06:43 AM

I'm sick of getting those kind of emails, but I'm also very glad for decent antivirus protection!

Hugh

----
Click to visit Kallen Web Design
Posted Image

#10 auctionhugh

auctionhugh

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 29 August 2004 - 07:24 AM

|..<->Virusscans and Firewalls<->..|
Kaspersky AV ---- Sygate Firewall Pro ---- AVG AV >> not recommended Anti-virus! ---- Kerio Firewall


I was wondering which one of the antivirus products in your links in your signature is the "not recommended" one, and why.

--------
Click to visit Kallen Web Design!
Posted Image

Edited by auctionhugh, 29 August 2004 - 07:26 AM.





Member of UNITE
Support SpywareInfo Forum - click the button