Security Basics mailing list archives

RE: New Virus?

From: "Wiersma, S. (Stefan)" <Stefan.Wiersma () isc-no politie nl>
Date: Wed, 29 Jun 2005 08:05:12 +0200

Hi Hamisch and list,

Virus: W32/Bagle.dldr (McAfee)

Virus Characteristics
-- Update 27 June, 2005-- 
The spamming from yesterday continue today, with filenames such as:

ds-rwe.exe 
f5434.exe 
The typical subject line of these messages is The picture is sent on SMS
Detection requirements for these 2 files is the same as yesterday, DAT
version 4522.

Note: Stinger has not been updated for either of these two spammings, as
these two updates were not classified as Medium or above severity.

-- Update 26 June, 2005-- 
There was another round of mass-spamming, of a new Bagle downloader.
Messages may contain an attachment with one of the following names:

Legs.zip 
original.zip 
In_park.zip 
The ZIP files contain a file named f22-013.exe (36,864 bytes)
MD5: 0x3f123980866092fedd6bc75e9b273087

This new variant is detected in the 4522 DAT files.

Check out the following link for more info:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129512

Regards,

Stefan Wiersma
yachtgroup.com

-----Original Message-----
From: Hamish Stanaway [mailto:koremeltdown () hotmail com] 
Sent: dinsdag 28 juni 2005 0:42
To: security-basics () securityfocus com
Subject: New Virus?

Hey there everyone,

I recieved a mysterious email this morning at 1728 GMT which had headers
as 
follows:

Return-path: <hamish1 () voyager co nz>
Envelope-to: hamish1 () webhosting net nz
Delivery-date: Tue, 28 Jun 2005 05:22:44 +1200
Received: from [217.125.252.60] (helo=david.org)
        by fearless.absolutewebhosting.biz with smtp (Exim 4.24)
        id 1DmxJg-0003ou-Rg
        for hamish1 () webhosting net nz; Tue, 28 Jun 2005 05:22:41 +1200
Date: Mon, 27 Jun 2005 19:20:42 +0100
To: "Hamish" <hamish1 () webhosting net nz>
From: "Hamish" <hamish1 () voyager co nz>
Subject: The picture is sent on SMS
Message-ID: <pvkpnopcnwraqblcgfg () webhosting net nz>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------hukvuvgobciyuhmojdug"

-------------------- END SNIP-----------------------

As you can guess, I'm hamish1 () webhosting net nz.
This email contained no text, only an attachment called legs.zip, which 
Norton (fully updated to its' latest version and data files) did not
detect 
any viruses in.
Within the legs.zip file there is a file called ds-rwe.exe - this again
was 
not detected as a virus.
My girlfriend thought she would be smart and ran ds-rwe.exe, which gave
me a 
memory overflow message for explorer.exe immidiately.
Does anyone have any idea of what this might be, and also if it is a
virus 
that has already been identified? If not, I am willing to pass it
through to 
someone to take a look at in its' zip format.
Otherwise if the effects cannot be reversed, I am afraid I will have to 
reformat this machine *sigh* NOT AGAIN :(
Have a great day everyone and thanks in advance for your help.


Kindest of regards,

Hamish Stanaway, CEO

Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
Auckland, New Zealand

http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
http://www.koreworks.com

Current thread:

Re: New Virus?, (continued)
- Re: New Virus? Ansgar -59cobalt- Wiechers (Jun 29)
- Re: New Virus? cc (Jun 29)
- Re: New Virus? Alan Apperson (Jun 29)
- Re: New Virus? Justin Gill (Jun 29)
- Re: New Virus? ChayoteMu (Jun 29)
- RE: New Virus? J.Ayoola (Jun 29)
  - RE: New Virus? Hamish Stanaway (Jun 30)
- RE: New Virus? Dan Denton (Jun 29)
- RE: New Virus? Hayden Searle (Jun 29)
- re: New Virus? meowbaby (Jun 29)
- RE: New Virus? Wiersma, S. (Stefan) (Jun 29)