Full Disclosure mailing list archives
Re: News from Bagle worm
From: Joe Stewart <jstewart () lurhq com>
Date: Mon, 26 Jan 2004 09:26:16 -0500
As much as I hate to give this worm any more attention (as it is already way overblown as a threat) I feel the need to point out some inaccuracies here. Comments inline below. On Monday 26 January 2004 6:29 am, Papp Geza wrote:
The worm is launched, it copies itself into the Windows directory and attempts to download and launch Mitglieder, a Trojan proxy server, on the infected machine.
This is wrong - Mitglieder is not downloaded. The subroutines which contact the remote "1.php" sites have no provisions to save and execute any code. They merely report the infected user's IP along with a psuedo-random UID.
This proxy server allows the 'master' to use the infected machine as a platform to send more copies of the malicious code.
This is not an accurate description. Mitglieder acts as a spam proxy and also can activate an SMTP relay on port 25 if given the proper command. It also listens for additional code to be pushed to it in much the same way as Bagle. If the author of the worm chooses to push more Bagle emails the through the Mitglieder proxies, he/she must do it manually; there are no provisions written into Bagle to spread in this manner.
Currently, all links to Internet sources for downloading Mitglieder are deleted.
As I mentioned, it's not downloaded. It is uploaded to the infected user through port 6777. And just because you get a "404" response from a php script on a webserver doesn't mean that the notification engine has been shut down.
Thus, I-Worm.Bagle cannot use this technology to increase propagation speed.
Because it has no such ability.
The worm backdoor functionality opens port 6777 ready to accept incoming connections from a remote user, giving unauthorized access to an affected machine, however, this does not appear to function properly.
It functions perfectly, but it's not a command shell. It gives the author the ability to either upload and execute a file, or uninstall the worm. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Bagle worm status + more blocking information Gadi Evron (Jan 19)
- Re: Bagle worm status + more blocking information Anders (Jan 19)
- Re: Bagle worm status + more blocking information Paul Tinsley (Jan 20)
- Re: Bagle worm status + more blocking information Sylvain Robitaille (Jan 20)
- Re: Re: Bagle worm status + more blocking information Gadi Evron (Jan 20)
- News from Bagle worm Papp Geza (Jan 26)
- Re: News from Bagle worm Joe Stewart (Jan 26)
- Re: Re: Bagle worm status + more blocking information Gadi Evron (Jan 20)
- Security conferences n30 (Jan 22)
- Re: Security conferences Ben Nelson (Jan 22)
- RE: Security conferences Darkslaker (Jan 22)
- <Possible follow-ups>
- RE: Bagle worm status + more blocking information Donahue, Pat (Jan 19)
- RE: Bagle worm status + more blocking information David Maynor (Jan 19)