Security Incidents mailing list archives
Re: New Mass Mailer Virus
From: "Thor" <thor () hammerofgod com>
Date: Mon, 9 Aug 2004 16:06:20 -0700
Just to update-- Trend's pattern file 1.953.00, (of OfficeScan) updated today, does in fact catch price.exe as a virus, and identifies it as Bagel.AC. Looks like my "BargainBuddy" information is either outdated, or the Bagle reference is not entirely correct. I assume the previous, though. t ----- Original Message ----- From: "Thor" <thor () hammerofgod com> To: "Jeff pRICHER" <jeffpricher () yahoo com>; <incidents () securityfocus com> Sent: Monday, August 09, 2004 3:34 PM Subject: Re: New Mass Mailer Virus
This one's not being caught by AV (trend, anyway) -- The zip file appears
to
have a randomized integer appended to the name. I've seen both price2.zip and price_8.zip Looks like Price.htm checks browser settings and does a document.write to install under IE with CLSID:018B7EC3-EECA-11d3-8E71-0000E82C6C0D- if netscape and launches and installs trigger.UpdateEnabled then it uses the
trigger.startsoftwareupdate
method. However, I show that as adware/spyware, not a Bagle variant...
BargainBuddy,
specifically. However, it does have probably a 100 web sites hard-coded into the exe that try to pull up www.domain.com/2.jpg. It is always 2.jpg looks like, but I was not able to get to that file on any of the
referenced
sites- got 404's on all but one, where I got " The image "http://www.dynex.ru/2.jpg"; cannot be displayed, because it contains
![http://www.dynex.ru/2.jpg"](http://www.dynex.ru/2.jpg"){kind=link}
errors.
" Just cursory observations... T ----- Original Message ----- From: "Jeff pRICHER" <jeffpricher () yahoo com> To: <incidents () securityfocus com> Sent: Monday, August 09, 2004 2:19 PM Subject: New Mass Mailer VirusLooks like a new Bagle variant is one the loose. I saw several hundred
in
my SMTP filter so far today. They have been arriving in a zip file with price.exe and price.html as the payload. It took some digging to find any information on the web for this and so far the best I've found is from
SANS
and can be read here http://isc.sans.org/
Current thread:
- New Mass Mailer Virus Jeff pRICHER (Aug 09)
- Re: New Mass Mailer Virus Jyri Hovila (Aug 10)
- Re: New Mass Mailer Virus Thor (Aug 10)
- <Possible follow-ups>
- Re: New Mass Mailer Virus Thor (Aug 10)
- RE: New Mass Mailer Virus Larsen, Colin (Aug 10)