Full Disclosure mailing list archives
News from Bagle worm
From: Papp Geza <pappgeza () tolna net>
Date: Mon, 26 Jan 2004 12:29:55 +0100
Hy, News from :Win32/Bagle.A Own experiences: The worm is launched, it copies itself into the Windows directory and attempts to download and launch Mitglieder, a Trojan proxy server, on the infected machine. This proxy server allows the 'master' to use the infected machine as a platform to send more copies of the malicious code. Currently, all links to Internet sources for downloading Mitglieder are deleted. Thus, I-Worm.Bagle cannot use this technology to increase propagation speed. As a result, at this time, I-Worm.Bagle is using a technique standard for Trojan programs. Bagle scans the file system on infected machines for files with extensions wab, txt, htm and r1. The worm then sends copies of itself to all email addresses that it uncovers, using a built in SMTP server. The worm backdoor functionality opens port 6777 ready to accept incoming connections from a remote user, giving unauthorized access to an affected machine, however, this does not appear to function properly. If the worm does not make way leaf, at that time lies going over also the regional network. Infection activity's time allocated - the worm is active only if the system date is set to be prior January 28 th 2004. Therefore his several time is, how able change the system time other date. This is substantial, that activity worm. Antivirus detects programme the start the system time false stood through ahead of what the worm him. This deviates routine, warrants dared ahead of the worm every other detrimental activity that, so that is for a long time active. This dared interesting that, instead of him that, so that worm would close, for the first time anti virus programme off, system makes longer own activism time's modification, may not be his rise.. That way worm gets the several time, so that is able that, so that the anti virus neutralises programme, all of system viruses' gainst protection how. -- Üdvözlettel, Geysap mailto:pappgeza () tolna net www.gyik.com "VIRUS CORE TEAM" ==================================== Fiat justitia, pereat mundus! ------------------------------------ we protect your digital worlds... ==================================== _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Bagle worm status + more blocking information Gadi Evron (Jan 19)
- Re: Bagle worm status + more blocking information Anders (Jan 19)
- Re: Bagle worm status + more blocking information Paul Tinsley (Jan 20)
- Re: Bagle worm status + more blocking information Sylvain Robitaille (Jan 20)
- Re: Re: Bagle worm status + more blocking information Gadi Evron (Jan 20)
- News from Bagle worm Papp Geza (Jan 26)
- Re: News from Bagle worm Joe Stewart (Jan 26)
- Re: Re: Bagle worm status + more blocking information Gadi Evron (Jan 20)
- Security conferences n30 (Jan 22)
- Re: Security conferences Ben Nelson (Jan 22)
- RE: Security conferences Darkslaker (Jan 22)
- <Possible follow-ups>
- RE: Bagle worm status + more blocking information Donahue, Pat (Jan 19)
- RE: Bagle worm status + more blocking information David Maynor (Jan 19)