Security Basics mailing list archives

RE: New Virus?

From: "Hamish Stanaway" <koremeltdown () hotmail com>
Date: Thu, 30 Jun 2005 09:15:51 +0000

Hi there everyone,

Thanks so much for everyone who offered their help and advice. I managed toremove the virus manually and it was correctly predicted by many of you asW32/Bagle.dldr.I was unsure of what it was as my Norton package did not detect it (hmm) -hopefully Symantec will put this in their next lot of virus signature files.

Thanks again everyone!
Thread end.


Kindest of regards,

Hamish Stanaway, CEO

Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
Auckland, New Zealand

http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
http://www.koreworks.com

From: "J.Ayoola" <J.Ayoola () westminster ac uk>
To: "'Hamish Stanaway'" <koremeltdown () hotmail com>
CC: <security-basics () securityfocus com>
Subject: RE: New Virus?
Date: Wed, 29 Jun 2005 10:14:37 +0100
MIME-Version: 1.0

Received: from outgoing.securityfocus.com ([205.206.231.27]) bymc10-f2.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 29 Jun 200516:03:27 -0700Received: from outgoing.securityfocus.com by outgoing.securityfocus.comvia smtpd (for mail.hotmail.com [65.54.166.230]) with ESMTP; Wed, 29Jun 2005 16:03:27 -0700Received: from lists.securityfocus.com (lists.securityfocus.com[205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid6781A237548; Wed, 29 Jun 2005 13:22:17 -0600 (MDT)

Received: (qmail 5037 invoked from network); 29 Jun 2005 09:54:43 -0000
X-Message-Info: JGTYoYF78jEHjJx36Oi8+Z3TmmkSEdPtfpLB7P/ybN8=
Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <security-basics.list-id.securityfocus.com>
List-Post: <mailto:security-basics () securityfocus com>
List-Help: <mailto:security-basics-help () securityfocus com>
List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
Delivered-To: mailing list security-basics () securityfocus com
Delivered-To: moderator for security-basics () securityfocus com
Organization: University of Westminster
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
thread-index: AcV8OOMYc25f2e2qQwiaoEMI4peaOAAUX/Tg

X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/)*1DnYea-00065a-00*mSvnYnPQ5ig*Return-Path:security-basics-return-34487-koremeltdown=hotmail.com () securityfocus comX-OriginalArrivalTime: 29 Jun 2005 23:03:27.0478 (UTC)FILETIME=[C263B960:01C57CFE]


Hamish,
This appears to be the trojan W32/Bagle.dldr.  McAfee has been detecting it
since the 26th of June. Click on the link for more info.

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129512

Regards,
Judie


-----Original Message-----
From: Hamish Stanaway [mailto:koremeltdown () hotmail com]
Sent: 27 June 2005 23:42
To: security-basics () securityfocus com
Subject: New Virus?

Hey there everyone,

I recieved a mysterious email this morning at 1728 GMT which had headers as
follows:

Return-path: <hamish1 () voyager co nz>
Envelope-to: hamish1 () webhosting net nz
Delivery-date: Tue, 28 Jun 2005 05:22:44 +1200
Received: from [217.125.252.60] (helo=david.org)
        by fearless.absolutewebhosting.biz with smtp (Exim 4.24)
        id 1DmxJg-0003ou-Rg
        for hamish1 () webhosting net nz; Tue, 28 Jun 2005 05:22:41 +1200
Date: Mon, 27 Jun 2005 19:20:42 +0100
To: "Hamish" <hamish1 () webhosting net nz>
From: "Hamish" <hamish1 () voyager co nz>
Subject: The picture is sent on SMS
Message-ID: <pvkpnopcnwraqblcgfg () webhosting net nz>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------hukvuvgobciyuhmojdug"

-------------------- END SNIP-----------------------

As you can guess, I'm hamish1 () webhosting net nz.
This email contained no text, only an attachment called legs.zip, which
Norton (fully updated to its' latest version and data files) did not detect
any viruses in.
Within the legs.zip file there is a file called ds-rwe.exe - this again was
not detected as a virus.

My girlfriend thought she would be smart and ran ds-rwe.exe, which gave mea


memory overflow message for explorer.exe immidiately.
Does anyone have any idea of what this might be, and also if it is a virus

that has already been identified? If not, I am willing to pass it throughto


someone to take a look at in its' zip format.
Otherwise if the effects cannot be reversed, I am afraid I will have to
reformat this machine *sigh* NOT AGAIN :(
Have a great day everyone and thanks in advance for your help.


Kindest of regards,

Hamish Stanaway, CEO

Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
Auckland, New Zealand

http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
http://www.koreworks.com

Current thread:

New Virus? Hamish Stanaway (Jun 28)
- Re: New Virus? Paul Kurczaba (Jun 29)
- RE: New Virus? David Gillett (Jun 29)
- Re: New Virus? securityfocus (Jun 29)
- Re: New Virus? Ansgar -59cobalt- Wiechers (Jun 29)
- Re: New Virus? cc (Jun 29)
- Re: New Virus? Alan Apperson (Jun 29)
- Re: New Virus? Justin Gill (Jun 29)
- Re: New Virus? ChayoteMu (Jun 29)
- RE: New Virus? J.Ayoola (Jun 29)
  - RE: New Virus? Hamish Stanaway (Jun 30)
- <Possible follow-ups>
- RE: New Virus? Dan Denton (Jun 29)
- RE: New Virus? Hayden Searle (Jun 29)
- re: New Virus? meowbaby (Jun 29)
- RE: New Virus? Wiersma, S. (Stefan) (Jun 29)