My next class:

New Bagle variants

Published: 2005-11-01. Last Updated: 2005-11-01 23:04:43 UTC
by Bojan Zdrnja (Version: 2)
0 comment(s)

We have received numerous reports of new Bagle variants being spammed. They look typical for this family of worms ? empty message body with a ZIP file in the attachment.
Some of them don't have any subject and the sender name will be same as the recipient name with (sometimes) random domain appended.

Some names that have been used are:

Max.zip
Business_dealing.zip
Text_sms.zip
Health_and_Knowledge.zip
The_new_prices.zip
Info_prices.zip

MD5 sums of some variants are:

8275444ac2caac4b90bfd07d0b2b17be    t_535475.exe
18ae7a2fa4dbbf703c3ae157f224186a    text.exe

In the archive there is an executable which, when executed, copies itself to %sysdir%\hloader_exe.exe and drops another DLL header_dll.dll. It also creates an entry in the registry key HKLM/Software/Microsoft/Windows/CurrentVersion/Run named auto__hloader__key.

Thanks to Mike S, Sean K and others for submitting samples and information about these worms.

Mark Tombaugh sent us Snort sigs which can help protect from these new Bagle variants:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.dk SMTP Inbound"; flow:to_server,established; content:"UEsDBBQA"; content:"YT"; distance:8; within:11; content:"AAAA"; distance:8; within:13; reference:url,vil.nai.com/vil/content/v_136751.htm; sid:2002665; rev:1;)

alert tcp $HOME_NET 25 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE VIRUS Bagle.dk SMTP Outbound"; flow:to_server,established; content:"UEsDBBQA"; content:"YT"; distance:8; within:11; content:"AAAA"; distance:8; within:13; reference:url,vil.nai.com/vil/content/v_136751.htm; sid:2002666; rev:1;)

Keywords:
0 comment(s)
My next class:

Comments


Diary Archives