nanog mailing list archives

RE: Hi (fwd)

From: "Thor Larholm" <thor () pivx com>
Date: Thu, 18 Mar 2004 15:18:53 -0800

From: Matthew Sullivan [mailto:matthew () sorbs net] 
It's another varient of Bagle...

My analysis of it is at: http://www.au.sorbs.net/virus.explain.txt 
- since then Symantec has release it's more detailed explaination 
under the headings for Bagle.r and Bagle.s


This variant tries to exploit the object data vulnerability in IE that
has long since been patched. You can also protect against this
vulnerability, and any possible future variants, by locking down the My
Computer zone. I detailed this in

http://www.securityfocus.com/archive/1/346174/2003-11-30/2003-12-06/2

Those steps are also implemented as one of many fixes in Qwik-Fix (
www.qwik-fix.net ).

The worm is dead now but managed to spread quite a bit before AV vendors
had updated signatures. We have to start migrating away from reactive
security and focus more on proactive security solutions. The Bizex worm
was a good example of this, infecting 50.000 machines in 3 hours and
disabling itself before any AV vendors had signatures for it.



Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor () pivx com
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>

Current thread:

Re: Hi (fwd) william(at)elan.net (Mar 17)
- Re: Hi (fwd) Steven M. Bellovin (Mar 17)
- Re: Hi (fwd) Suresh Ramasubramanian (Mar 17)
  - Re: Hi (fwd) Arnold Nipper (Mar 18)
- Re: Hi (fwd) Colin Neeson (Mar 17)
- Re: Hi (fwd) william(at)elan.net (Mar 17)
  - Re: Hi (fwd) Matthew Sullivan (Mar 18)
- <Possible follow-ups>
- RE: Hi (fwd) Thor Larholm (Mar 18)