Security Basics mailing list archives
RE: New Virus?
From: "Hamish Stanaway" <koremeltdown () hotmail com>
Date: Thu, 30 Jun 2005 09:15:51 +0000
Hi there everyone,Thanks so much for everyone who offered their help and advice. I managed to remove the virus manually and it was correctly predicted by many of you as W32/Bagle.dldr. I was unsure of what it was as my Norton package did not detect it (hmm) - hopefully Symantec will put this in their next lot of virus signature files.
Thanks again everyone! Thread end. Kindest of regards, Hamish Stanaway, CEO Absolute Web Hosting / -= KoRe WoRkS =- Internet Security Auckland, New Zealand http://www.webhosting.net.nz http://www.buywebhosting.co.nz http://www.koreworks.com
From: "J.Ayoola" <J.Ayoola () westminster ac uk> To: "'Hamish Stanaway'" <koremeltdown () hotmail com> CC: <security-basics () securityfocus com> Subject: RE: New Virus? Date: Wed, 29 Jun 2005 10:14:37 +0100 MIME-Version: 1.0Received: from outgoing.securityfocus.com ([205.206.231.27]) by mc10-f2.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 29 Jun 2005 16:03:27 -0700 Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for mail.hotmail.com [65.54.166.230]) with ESMTP; Wed, 29 Jun 2005 16:03:27 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid 6781A237548; Wed, 29 Jun 2005 13:22:17 -0600 (MDT)Received: (qmail 5037 invoked from network); 29 Jun 2005 09:54:43 -0000 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Z3TmmkSEdPtfpLB7P/ybN8= Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com Organization: University of Westminster X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 thread-index: AcV8OOMYc25f2e2qQwiaoEMI4peaOAAUX/TgX-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *1DnYea-00065a-00*mSvnYnPQ5ig* Return-Path: security-basics-return-34487-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 29 Jun 2005 23:03:27.0478 (UTC) FILETIME=[C263B960:01C57CFE]Hamish, This appears to be the trojan W32/Bagle.dldr. McAfee has been detecting it since the 26th of June. Click on the link for more info. http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129512 Regards, Judie -----Original Message----- From: Hamish Stanaway [mailto:koremeltdown () hotmail com] Sent: 27 June 2005 23:42 To: security-basics () securityfocus com Subject: New Virus? Hey there everyone, I recieved a mysterious email this morning at 1728 GMT which had headers as follows: Return-path: <hamish1 () voyager co nz> Envelope-to: hamish1 () webhosting net nz Delivery-date: Tue, 28 Jun 2005 05:22:44 +1200 Received: from [217.125.252.60] (helo=david.org) by fearless.absolutewebhosting.biz with smtp (Exim 4.24) id 1DmxJg-0003ou-Rg for hamish1 () webhosting net nz; Tue, 28 Jun 2005 05:22:41 +1200 Date: Mon, 27 Jun 2005 19:20:42 +0100 To: "Hamish" <hamish1 () webhosting net nz> From: "Hamish" <hamish1 () voyager co nz> Subject: The picture is sent on SMS Message-ID: <pvkpnopcnwraqblcgfg () webhosting net nz> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------hukvuvgobciyuhmojdug" -------------------- END SNIP----------------------- As you can guess, I'm hamish1 () webhosting net nz. This email contained no text, only an attachment called legs.zip, which Norton (fully updated to its' latest version and data files) did not detect any viruses in. Within the legs.zip file there is a file called ds-rwe.exe - this again was not detected as a virus.My girlfriend thought she would be smart and ran ds-rwe.exe, which gave me amemory overflow message for explorer.exe immidiately. Does anyone have any idea of what this might be, and also if it is a virusthat has already been identified? If not, I am willing to pass it through tosomeone to take a look at in its' zip format. Otherwise if the effects cannot be reversed, I am afraid I will have to reformat this machine *sigh* NOT AGAIN :( Have a great day everyone and thanks in advance for your help. Kindest of regards, Hamish Stanaway, CEO Absolute Web Hosting / -= KoRe WoRkS =- Internet Security Auckland, New Zealand http://www.webhosting.net.nz http://www.buywebhosting.co.nz http://www.koreworks.com
Current thread:
- New Virus? Hamish Stanaway (Jun 28)
- Re: New Virus? Paul Kurczaba (Jun 29)
- RE: New Virus? David Gillett (Jun 29)
- Re: New Virus? securityfocus (Jun 29)
- Re: New Virus? Ansgar -59cobalt- Wiechers (Jun 29)
- Re: New Virus? cc (Jun 29)
- Re: New Virus? Alan Apperson (Jun 29)
- Re: New Virus? Justin Gill (Jun 29)
- Re: New Virus? ChayoteMu (Jun 29)
- RE: New Virus? J.Ayoola (Jun 29)
- RE: New Virus? Hamish Stanaway (Jun 30)
- <Possible follow-ups>
- RE: New Virus? Dan Denton (Jun 29)
- RE: New Virus? Hayden Searle (Jun 29)
- re: New Virus? meowbaby (Jun 29)
- RE: New Virus? Wiersma, S. (Stefan) (Jun 29)