Security Basics mailing list archives
RE: New Virus?
From: "Wiersma, S. (Stefan)" <Stefan.Wiersma () isc-no politie nl>
Date: Wed, 29 Jun 2005 08:05:12 +0200
Hi Hamisch and list, Virus: W32/Bagle.dldr (McAfee) Virus Characteristics -- Update 27 June, 2005-- The spamming from yesterday continue today, with filenames such as: ds-rwe.exe f5434.exe The typical subject line of these messages is The picture is sent on SMS Detection requirements for these 2 files is the same as yesterday, DAT version 4522. Note: Stinger has not been updated for either of these two spammings, as these two updates were not classified as Medium or above severity. -- Update 26 June, 2005-- There was another round of mass-spamming, of a new Bagle downloader. Messages may contain an attachment with one of the following names: Legs.zip original.zip In_park.zip The ZIP files contain a file named f22-013.exe (36,864 bytes) MD5: 0x3f123980866092fedd6bc75e9b273087 This new variant is detected in the 4522 DAT files. Check out the following link for more info: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129512 Regards, Stefan Wiersma yachtgroup.com -----Original Message----- From: Hamish Stanaway [mailto:koremeltdown () hotmail com] Sent: dinsdag 28 juni 2005 0:42 To: security-basics () securityfocus com Subject: New Virus? Hey there everyone, I recieved a mysterious email this morning at 1728 GMT which had headers as follows: Return-path: <hamish1 () voyager co nz> Envelope-to: hamish1 () webhosting net nz Delivery-date: Tue, 28 Jun 2005 05:22:44 +1200 Received: from [217.125.252.60] (helo=david.org) by fearless.absolutewebhosting.biz with smtp (Exim 4.24) id 1DmxJg-0003ou-Rg for hamish1 () webhosting net nz; Tue, 28 Jun 2005 05:22:41 +1200 Date: Mon, 27 Jun 2005 19:20:42 +0100 To: "Hamish" <hamish1 () webhosting net nz> From: "Hamish" <hamish1 () voyager co nz> Subject: The picture is sent on SMS Message-ID: <pvkpnopcnwraqblcgfg () webhosting net nz> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------hukvuvgobciyuhmojdug" -------------------- END SNIP----------------------- As you can guess, I'm hamish1 () webhosting net nz. This email contained no text, only an attachment called legs.zip, which Norton (fully updated to its' latest version and data files) did not detect any viruses in. Within the legs.zip file there is a file called ds-rwe.exe - this again was not detected as a virus. My girlfriend thought she would be smart and ran ds-rwe.exe, which gave me a memory overflow message for explorer.exe immidiately. Does anyone have any idea of what this might be, and also if it is a virus that has already been identified? If not, I am willing to pass it through to someone to take a look at in its' zip format. Otherwise if the effects cannot be reversed, I am afraid I will have to reformat this machine *sigh* NOT AGAIN :( Have a great day everyone and thanks in advance for your help. Kindest of regards, Hamish Stanaway, CEO Absolute Web Hosting / -= KoRe WoRkS =- Internet Security Auckland, New Zealand http://www.webhosting.net.nz http://www.buywebhosting.co.nz http://www.koreworks.com
Current thread:
- Re: New Virus?, (continued)
- Re: New Virus? Ansgar -59cobalt- Wiechers (Jun 29)
- Re: New Virus? cc (Jun 29)
- Re: New Virus? Alan Apperson (Jun 29)
- Re: New Virus? Justin Gill (Jun 29)
- Re: New Virus? ChayoteMu (Jun 29)
- RE: New Virus? J.Ayoola (Jun 29)
- RE: New Virus? Hamish Stanaway (Jun 30)
- RE: New Virus? Dan Denton (Jun 29)
- RE: New Virus? Hayden Searle (Jun 29)
- re: New Virus? meowbaby (Jun 29)
- RE: New Virus? Wiersma, S. (Stefan) (Jun 29)