Re: New virus?
From: leslie (LESLIE_at_JRLVAX.HOUSTON.RR.COM)
Date: 10/30/04
- Next message: leslie: "Other Tools: LSP-Fix, Hijack This"
- Previous message: Bob: "Re: Constitutional amendment"
- In reply to: Margie: "New virus?"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 30 Oct 2004 05:39:13 GMT
Margie (nomoremargiesjunk@earthlink.net) wrote:
: Driving home just now and heard the local tech guy talking about a new
: virus (sounded like bagel something?) that hit Europe big-time this
: morning and may be headed our way. Just a reminder to run Live Update
: or its equivalent. So: How often do y'all run an automatic
: virus/worm update? (I use Norton AV and haven't had any problems,
: even though I just bought the updated version when my subscription
: expired.)
:
http://isc.sans.org//index.php
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor
And Alert System - Current Infosec News and Analysis
"Handlers Diary October 29th 2004
Updated October 30th 2004 04:13 UTC (Handler: Lenny Zeltser)
New Bagle/Beagle Variants, Fragmentation Attacks, Gmail XSS Hole
New Bagle/Beagle variants on the loose
We received many reports of a new Bagle/Beagle worm variant seen in
the wild today. Be sure to update your anti-virus signatures, if you
haven't done so already.
It seems that there are actually three different variants out there,
but they exhibit similar characteristics: they spread via email and
P2P networks, listen on TCP port 81, and attempt downloading files
from pre-defined web servers.
We received a couple of reports of systems initiating outbound
connections on TCP port 81. According to one of these reports (thanks,
Mark!), the systems were infected with an older Bagle variant
(Beagle.AI, according to McAfee), which is a bit strange. If you've
witnessed outbound connections on TCP port 81, please send us your
packet traces.
As far as I know, the file that the worm attempts retrieving from the
remote servers is currently not present on any of the servers. One
theory (thanks, Vern!) is that the worm may be connecting to remote
web servers via HTTP in order to register itself with the server's
access or error logs, giving the author a list of infected systems so
that he or she can then access them via inbound TCP port 81
connections.
The naming of these variants is inconsistent across vendors. I wish
anti-virus vendors could agree on the taxonomy, as having different
names generates a lot of confusion among anti-virus software users. As
far as I can tell, the following names refer to the same variant:
Bagle.AV (Sophos, Symantec)
Bagle.AQ (Computer Associates, Norman)
Bagle.BB (McAfee)
Bagle.BC (Panda)
Bagle.AP, Beagle.AT (F-Secure)
Bagle.AT (Kaspersky, TrendMicro)
The following names seem to refer to a slightly different variant:
Bagle.BC (McAfee)
Bagle.AU (Symantec)
Yet another variant carries the following names:
Beagle.AW (Symantec)
Bagle.AR (Computer Associates)
Bagle.BD (McAfee)
Secunia offers a page with links to several vendors' descriptions of
today's Bagle/Beagle variants:
http://secunia.com/virus_information/13033/bagle.aq
Have you witnessed fragmentation attacks recently?
A bit less than two weeks ago we received a report of a fragmentation
attack targeting two unrelated financial services organizations. We'd
like to understand that attack better. Here are a few log entries that
document the attack :..."
Jerry
- Next message: leslie: "Other Tools: LSP-Fix, Hijack This"
- Previous message: Bob: "Re: Constitutional amendment"
- In reply to: Margie: "New virus?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
