nanog mailing list archives
RE: Hi (fwd)
From: "Thor Larholm" <thor () pivx com>
Date: Thu, 18 Mar 2004 15:18:53 -0800
From: Matthew Sullivan [mailto:matthew () sorbs net] It's another varient of Bagle... My analysis of it is at: http://www.au.sorbs.net/virus.explain.txt - since then Symantec has release it's more detailed explaination under the headings for Bagle.r and Bagle.s
This variant tries to exploit the object data vulnerability in IE that has long since been patched. You can also protect against this vulnerability, and any possible future variants, by locking down the My Computer zone. I detailed this in http://www.securityfocus.com/archive/1/346174/2003-11-30/2003-12-06/2 Those steps are also implemented as one of many fixes in Qwik-Fix ( www.qwik-fix.net ). The worm is dead now but managed to spread quite a bit before AV vendors had updated signatures. We have to start migrating away from reactive security and focus more on proactive security solutions. The Bizex worm was a good example of this, infecting 50.000 machines in 3 hours and disabling itself before any AV vendors had signatures for it. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor () pivx com Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net>
Current thread:
- Re: Hi (fwd) william(at)elan.net (Mar 17)
- Re: Hi (fwd) Steven M. Bellovin (Mar 17)
- Re: Hi (fwd) Suresh Ramasubramanian (Mar 17)
- Re: Hi (fwd) Arnold Nipper (Mar 18)
- Re: Hi (fwd) Colin Neeson (Mar 17)
- Re: Hi (fwd) william(at)elan.net (Mar 17)
- Re: Hi (fwd) Matthew Sullivan (Mar 18)
- <Possible follow-ups>
- RE: Hi (fwd) Thor Larholm (Mar 18)