9 replies to this topic

[Trilobite]

http://www.viruslist...html?id=1887620

Gee, brand new and already it has been sent to me.
As of this writing, McAfee and Symantec do not detect it. Kaspersky's online scanner does detect it.
Edit: McAfee and Symantec have an update that will detect it now.

I just noticed my bad spelling in the topic title.

Edited by Trilobite, 20 July 2004 - 04:02 PM.

[rosso_acido]

I got a couple e-mails with this one too this morning.

There's not much info about it on the Internet yet, but Stinger also detects it as of July 19.

R.

[ErikAlbert]

Well it's a smart move to try eliminate the Helpers first.

[Trilobite]

Is that a crack about my spelling?

I'm kind of glad it was sent to me. It's another worm for me to test AV sofware with.

I attempted to download it again today and the good news is that the AV scanner on yahoo.com email detects it and will not allow it to be downloaded.

[WaveThemes]

About 5:30 am est this morning I found this:

http://vil.nai.com/v...nt/v_126798.htm

McAfee released a new stinger and dat file set over this one!

[H@ns]

Hi WaveThemes,

That was allready known here:

http://www.spywarein...showtopic=16603

[AplusWebMaster]

FYI...

New Bagle Spreads Fast By Shutting Down Defenses
- http://www.techweb.c...WB20040720S0007
July 20, 2004
"The latest Bagle three-worm wave includes one that's using a more aggressive twist on an old tactic, said security firms Tuesday. Of the trio of Bagle variants that have hit the Internet since Saturday -- that day's Bagle.ag, Sunday's Bagle.ah. and Monday's Bagle.ai...Bagle.ai -- with the parade of Bagle variants, it's no surprise that not all vendors are in sync with the name; Panda, for instance, dubbed it Bagle.ah -- is very similar to earlier iterations. It's a mass mailing worm that spreads by hijacking addresses on infected machines or through shared folders; packages its payload as a file attachment, including .zip compressed files; and attempts to contact a slew of German Web sites, probably to alert the hacker of compromised systems so they can be used later as spam proxies or to conduct denial-of-service (DoS) attacks.
Hinojosa notes one important difference that he thinks is behind Bagle.ai..."It comes in and takes out a whole list of anti-virus and firewall processes," he said. "This list is larger than earlier [lists], and is so big I can't even count them. Someone really took their time to build this." The list -- 288 by Symantec's count -- is used by Bagle.ai to terminate memory-resident and active anti-virus and firewall software in an attempt to slip through a computer's defenses. "It goes around [defenses] by deleting the processes," said Hinojosa. "That's not good."..."

>>> If you haven't already done so, -now- would be a good time to update your AV.

[Trilobite]

Looks like a nasty little one.

not all vendors are in sync with the name; Panda, for instance, dubbed it Bagle.ah

I noticed that too. A scan of an infected file reveals these results:
Kaspersky id's it as Bagle.ai
Symantec's norton id's it as Bagle.ag
McAfee's Stinger id's it as Bagle.ai

I haven't updated and scanned it with the other AV's yet.



If you haven't already done so, -now- would be a good time to update your AV.

Edited by Trilobite, 20 July 2004 - 03:58 PM.

[auctionhugh]

I'm sick of getting those kind of emails, but I'm also very glad for decent antivirus protection!

Hugh

----
Click to visit Kallen Web Design

[auctionhugh]

|..<->Virusscans and Firewalls<->..|
Kaspersky AV ---- Sygate Firewall Pro ---- AVG AV >> not recommended Anti-virus! ---- Kerio Firewall

I was wondering which one of the antivirus products in your links in your signature is the "not recommended" one, and why.

--------
Click to visit Kallen Web Design!

Edited by auctionhugh, 29 August 2004 - 07:26 AM.