lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: Corey.Hart at synopsys.com (Corey Hart) Subject: (no subject) >From incidents.org. I appears to be a new W32/Bagel Variant. Updated August 9th 2004 18:59 UTC (Handler: Jason Lam) * New Bagle (?) Variant Spreading New Bagle Variant Spreading (PRELIMINARY) We received a number of reports about a new virus. Based on a quick string analysis, we assume that this will be classified as a new member of the 'Bagle' family. Like prior versions, it includes a lengthy list of URLs. Infected systems will likely attempt to contact these URLs. All samples received so far arrive without subject. Attachment names are price2.zip, new__price.zip, 08_price.zip, and likely others. The text reads 'price' or 'new price'. According to handler Tom Liston, the virus installs itself as C:\WINDOWS\System32\WINdirect.exe and runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe Mitigation Temporarily quarantine or reject all ZIP attachments until AV vendors release signatures. You may also want to monitor or block access to the URLs listed below. Some AV programs do already identify this new version as malware using generic signatures. AV Summary (fromhttp://www.virustotal.com ) BitDefender 7.0/20040809 found [JS.Dword.dropper] ClamWin devel-20040727/20040809 found [Trojan.JS.RunMe] eTrustAV-Inoc 4641/20040728 found [JScript/IE.VM.Exploit] F-Prot 3.15/20040809 found nothing Kaspersky 4.0.2.23/20040809 found nothing McAfee 4383/20040804 found [JS/IllWill] NOD32v2 1.835/20040806 found [Win32/IE.Dword unknown infection type (Exploit)] Norman 5.70.10/20040806 found [W32/Malware] Panda 7.02.00/20040809 found [Fichero Sospechoso] Sybari 7.5.1314/20040809 found [JScript/IE.VM.Exploit] Symantec 8.0/20040808 found nothing TrendMicro 7.000/20040804 found nothing List of URLs (and respective IPs) Note: From past experience, only a small number of these sites is compromised (if any at all) to update the virus. Most of the sites serve as decoys. However, virus infected systems will access these sites and if you for example use a web proxy, you may be able to find infected systems. We do not know if any of these sites are used to update the code, or if they are just used to collect information about infected systems. http://polobeer.de/2.jpg http://r2626r.de/2.jpg http://kooltokyo.ru/2.jpg http://mmag.ru/2.jpg http://advm1.gm.fh-koeln.de/2.jpg http://evadia.ru/2.jpg http://megion.ru/2.jpg http://molinero-berlin.de/2.jpg http://dozenten.f1.fhtw-berlin.de/2.jpg http://shadkhan.ru/2.jpg http://sacred.ru/2.jpg http://kypexin.ru/2.jpg http://www.gantke-net.com/2.jpg http://www.mcschnaeppchen.com/2.jpg http://www.rollenspielzirkel.de/2.jpg http://134.102.228.45/2.jpg http://196.12.49.27/2.jpg http://aus-Zeit.com/2.jpg http://lottery.h11.ru/2.jpg http://herzog.cs.uni-magdeburg.de/2.jpg http://yaguark.h10.ru/2.jpg http://213.188.129.72/2.jpg http://thorpedo.us/2.jpg http://szm.sk/2.jpg http://lars-s.privat.t-online.de/2.jpg http://www.no-abi2003.de/2.jpg http://www.mdmedia.org/2.jpg http://abi-2004.org/2.jpg http://sovea.de/2.jpg http://www.porta.de/2.jpg http://matzlinger.com/2.jpg http://pocono.ru/2.jpg http://controltechniques.ru/2.jpg http://alexey.pioneers.com.ru/2.jpg http://momentum.ru/2.jpg http://omegat.ru/2.jpg http://www.perfectgirls.net/2.jpg http://porno-mania.net/2.jpg http://colleen.ai.net/2.jpg http://ourcj.com/2.jpg http://free.bestialityhost.com/2.jpg http://slavarik.ru/2.jpg http://burn2k.ipupdater.com/2.jpg http://carabi.ru/2.jpg http://spbbook.ru/2.jpg http://binn.ru/2.jpg http://sbuilder.ru/2.jpg http://protek.ru/2.jpg http://www.PlayGround.ru/2.jpg http://celine.artics.ru/2.jpg http://www.artics.ru/2.jpg http://www.laserbuild.ru/2.jpg http://www.lamatec.com/2.jpg http://www.sensi.com/2.jpg http://www.oldtownradio.com/2.jpg http://www.youbuynow.com/2.jpg http://64.62.172.118/2.jpg http://www.tayles.com/2.jpg http://dodgetheatre.com/2.jpg http://www.thepositivesideofsports.com/2.jpg http://www.bridesinrussia.com/2.jpg http://fairy.dataforce.net/2.jpg http://www.pakwerk.ru/2.jpg http://home.profootball.ru/2.jpg http://www.ankil.ru/2.jpg http://www.ddosers.net/2.jpg http://tarkosale.net/2.jpg http://www.boglen.com/2.jpg http://change.east.ru/2.jpg http://www.teatr-estrada.ru/2.jpg http://www.glass-master.ru/2.jpg http://www.zeiss.ru/2.jpg http://www.sposob.ru/2.jpg http://www.glavriba.ru/2.jpg http://alfinternational.ru/2.jpg http://euroviolence.com/2.jpg http://www.webronet.com/2.jpg http://www.virtmemb.com/2.jpg http://www.infognt.com/2.jpg http://www.vivamedia.ru/2.jpg http://www.zelnet.ru/2.jpg http://www.dsmedia.ru/2.jpg http://www.vendex.ru/2.jpg http://www.elit-line.ru/2.jpg http://pixel.co.il/2.jpg http://www.milm.ru/2.jpg http://dev.tikls.net/2.jpg http://www.met.pl/2.jpg http://www.strefa.pl/2.jpg http://kafka.punkt.pl/2.jpg http://www.rubikon.pl/2.jpg http://www.neostrada.pl/2.jpg http://werel1.web-gratis.net/2.jpg http://www.tuhart.net/2.jpg http://www.antykoncepcja.net/2.jpg http://www.dami.com.pl/2.jpg http://vip.pnet.pl/2.jpg http://www.webzdarma.cz/2.jpg http://emnesty.w.interia.pl/2.jpg http://niebo.net/2.jpg http://strony.wp.pl/2.jpg http://sec.polbox.pl/2.jpg http://www.phg.pl/2.jpg http://emnezz.e-mania.pl/2.jpg http://www.republika.pl/2.jpg http://www.silesianet.pl/2.jpg http://www.republika.pl/2.jpg http://tdi-router.opola.pl/2.jpg http://republika.pl/2.jpg http://infokom.pl/2.jpg http://silesianet.pl/2.jpg http://terramail.pl/2.jpg http://silesianet.pl/2.jpg http://www.iluminati.kicks-ass.net/2.jpg http://www.dilver.ru/2.jpg http://www.yarcity.ru/2.jpg http://www.scli.ru/2.jpg http://www.elemental.ru/2.jpg http://diablo.homelinux.com/2.jpg http://www.interrybflot.ru/2.jpg http://www.webpark.pl/2.jpg http://www.rafani.cz/2.jpg http://gutemine.wu-wien.ac.at/2.jpg http://przeglad-tygodnik.pl/2.jpg http://przeglad-tygodnik.pl/2.jpg http://pb195.slupsk.sdi.tpnet.pl/2.jpg http://www.ciachoo.pl/2.jpg http://cavalierland.5u.com/2.jpg http://www.nefkom.net/2.jpg http://rausis.latnet.lv/2.jpg http://www.hgr.de/2.jpg http://www.airnav.com/2.jpg http://www.astoria-stuttgart.de/2.jpg http://ultimate-best-hgh.0my.net/2.jpg http://wynnsjammer.proboards18.com/2.jpg http://www.jewishgen.org/2.jpg http://www.hack-gegen-rechts.com/2.jpg http://host.wallstreetcity.com/2.jpg http://quotes.barchart.com/2.jpg http://www.aannemers-nederland.nl/2.jpg http://www.sjgreatdeals.com/2.jpg http://financial.washingtonpost.com/2.jpg http://www.biratnagarmun.org.np/2.jpg http://hsr.zhp.org.pl/2.jpg http://traveldeals.sidestep.com/2.jpg http://www.hbz-nrw.de/2.jpg http://www.ifa-guide.co.uk/2.jpg http://www.inversorlatino.com/2.jpg http://www.zhp.gdynia.pl/2.jpg http://host.businessweek.com/2.jpg http://packages.debian.or.jp/2.jpg http://www.math.kobe-u.ac.jp/2.jpg http://www.k2kapital.com/2.jpg http://www.tanzen-in-sh.de/2.jpg http://www.wapf.com/2.jpg http://www.hgrstrailer.com/2.jpg http://www.forbes.com/2.jpg http://www.oshweb.com/2.jpg http://www.rumbgeo.ru/2.jpg http://www.dicto.ru/2.jpg http://www.busheron.ru/2.jpg http://www.omnicom.ru/2.jpg http://www.teleline.ru/2.jpg http://www.dynex.ru/2.jpg http://www.gamma.vyborg.ru/2.jpg http://nominal.kaliningrad.ru/2.jpg http://www.baltmatours.com/2.jpg http://www.interfoodtd.ru/2.jpg http://www.baltnet.ru/2.jpg http://www.neprifan.ru/2.jpg http://photo.gornet.ru/2.jpg http://www.aktor.ru/2.jpg http://catalog.zelnet.ru/2.jpg http://www.sdsauto.ru/2.jpg http://www.gradinter.ru/2.jpg http://www.avant.ru/2.jpg http://www.porsa.ru/2.jpg http://www.taom-clan.de/2.jpg http://www.perfectjewel.com/2.jpg http://www.vrack.net/2.jpg http://www.netradar.com/2.jpg http://www.pgipearls.com/2.jpg http://www.vconsole.net/2.jpg http://www.ccbootcamp.com/2.jpg http://host23.ipowerweb.com/2.jpg http://www.timelessimages.com/2.jpg http://www.peterstar.ru/2.jpg http://www.5100.ru/2.jpg http://www.gin.ru/2.jpg http://www.rweb.ru/2.jpg http://www.metacenter.ru/2.jpg http://www.biysk.ru/2.jpg http://www.free-time.ru/2.jpg http://www.rastt.ru/2.jpg http://www.chelny.ru/2.jpg http://www.chat4adult.com/2.jpg http://www.landofcash.net/2.jpg http://relay.great.ru/2.jpg http://www.kefaloniaresorts.com/2.jpg http://www.epski.gr/2.jpg http://www.myrtoscorp.com/2.jpg http://www.aphel.de/2.jpg http://www.intellect.lvc/2.jpg http://www.abcdesign.ru/2.jpg ASN's 680 | 139.6.57.1 | DFN-IP service G-WiN 680 | 141.44.21.8 | DFN-IP service G-WiN 680 | 141.45.186.7 | DFN-IP service G-WiN 680 | 193.30.112.108 | DFN-IP service G-WiN 702 | 194.172.67.203 | AS702 MCI EMEA - Commercial IP 702 | 194.175.222.203 | AS702 MCI EMEA - Commercial IP 1241 | 62.1.1.88 | FORTHNET-GR FORTHnet 1776 | 137.208.3.39 | Wirtschaftsuniversitaet Wien 2118 | 193.124.133.146 | RELCOM-AS RELCOM Autonomous Sy 2118 | 194.135.19.36 | RELCOM-AS RELCOM Autonomous Sy 2588 | 159.148.108.6 | LATNET 2828 | 207.155.252.18 | XOXO XO Communications 2854 | 193.232.88.155 | ROSPRINT-AS RoSprint AS (Globa 2907 | 133.30.64.174 | ERX-SINET-AS National Center f 3209 | 82.82.222.142 | Arcor IP-Network 3216 | 194.154.72.16 | SOVAM-AS Golden Telecom, Mosco 3216 | 194.186.45.233 | SOVAM-AS Golden Telecom, Mosco 3320 | 80.140.195.108 | Deutsche Telekom AG 3320 | 80.142.224.214 | Deutsche Telekom AG 3320 | 80.150.6.138 | Deutsche Telekom AG 3356 | 62.67.235.172 | LEVEL3 Level 3 Communications 3491 | 205.177.28.149 | CAIS CAIS Internet 3561 | 64.14.68.249 | CWU Cable & Wireless USA 4264 | 63.240.4.179 | CERFN California Education and 4436 | 69.22.176.213 | NLAYE nLayer Communications, I 4613 | 202.52.244.4 | MOS-NP Mercantile Office Syste 5616 | 193.192.163.30 | SATNET ASN 5617 | 195.116.39.25 | TPNET Polish Telecom's commerc 5617 | 195.117.150.132 | TPNET Polish Telecom's commerc 5617 | 213.25.234.195 | TPNET Polish Telecom's commerc 5617 | 217.97.186.5 | TPNET Polish Telecom's commerc 5617 | 80.53.119.186 | TPNET Polish Telecom's commerc 6405 | 64.156.241.160 | AI American Information Networ 6690 | 195.131.87.88 | WEBplus Ltd. 6714 | 217.197.68.34 | ATOMNET ATOM SA 6724 | 192.67.198.52 | STRATO Strato AG 6724 | 81.169.145.90 | STRATO Strato AG 6731 | 82.204.131.6 | COMSTAR-AS COMSTAR Telecommuni 6850 | 212.119.181.130 | METROCOM-AS JSC "METROCOM" 6855 | 212.5.219.3 | SK SLOVAK TELECOM, AS6855 6939 | 64.62.155.238 | HURC Hurricane Electric 7018 | 12.129.211.123 | ATTW AT&T WorldNet Services 7201 | 66.54.130.236 | TELESC-7 Telescan, Inc. 7332 | 204.180.42.17 | IQUEST IQuest Internet 7880 | 198.137.221.35 | NEURAL-5 Neural Applications 8001 | 207.99.96.49 | NAC-53 Net Access Corporation 8001 | 216.118.85.172 | NAC-53 Net Access Corporation 8246 | 217.153.166.2 | INTERNET-TECHNOLOGIES-POLSKA-A 8263 | 195.16.118.130 | PORTAL Portal Autonomous Syste 8342 | 195.161.113.7 | RTCOMM-AS RTComm.RU Autonomous 8342 | 217.107.222.118 | RTCOMM-AS RTComm.RU Autonomous 8342 | 81.176.64.92 | RTCOMM-AS RTComm.RU Autonomous 8359 | 62.118.251.84 | MTUONLINE MTU-Intel Moscow reg 8395 | 195.170.45.1 | EAST-AS East Telecom ISP Auton 8402 | 195.14.47.9 | CORBINA-AS Corbina telecom 8402 | 62.205.161.217 | CORBINA-AS Corbina telecom 8515 | 195.42.160.19 | DATAFORCE-AS DataForce 8560 | 195.20.225.29 | SCHLUND-AS Schlund + Partner A 8560 | 212.227.127.212 | SCHLUND-AS Schlund + Partner A 8560 | 82.165.32.146 | SCHLUND-AS Schlund + Partner A 8888 | 212.22.88.39 | COMTAT-AS Comtat Inc. Autonomo 8905 | 212.34.32.4 | SITEK-AS Sitek Global Network 9072 | 212.204.66.1 | AS9072 NEFkom Telekommunikatio 10316 | 216.55.177.49 | ABAC Abacus America Inc. 10843 | 216.117.185.182 | AIT-9 Advanced Internet Techno 11766 | 216.23.217.130 | AISV Alpha Internet Services, 12312 | 217.195.36.50 | TISCALI-DE Tiscali Business Gm 12314 | 212.42.38.194 | ROPNET-AS RopNet Autonomous Sy 12741 | 81.210.1.135 | INTERNETIA-AS Netia Commercial 12827 | 212.77.101.149 | WIRTUALNAPOLSKA Wirtualna Pols 12846 | 212.94.102.68 | AltaiTelecom Autonomous System 12990 | 213.180.128.160 | ONET-PL-AS1 Onet.pl portal net 13095 | 213.150.64.6 | CTK-NET-AS SeverTransCom Netwo 13237 | 217.71.171.55 | LAMBDANET-AS European Backbone 13237 | 81.209.148.231 | LAMBDANET-AS European Backbone 13749 | 207.44.240.78 | EVRY Everyones Internet, Inc. 13749 | 216.127.68.127 | EVRY Everyones Internet, Inc. 13749 | 216.40.226.29 | EVRY Everyones Internet, Inc. 13749 | 66.98.164.63 | EVRY Everyones Internet, Inc. 14744 | 63.251.163.112 | PNAP Internap Network Services 15031 | 216.138.240.196 | WIZN Wiznet Inc. 15276 | 64.89.234.34 | INTUIT-21 Intuitive Logic 15685 | 217.11.237.193 | AS15685 Casablanca INT Autonom 15726 | 217.14.162.3 | MARCANT-AS Marcant Internet Se 15756 | 217.23.157.183 | CARAVAN ISP "CARAVAN" 15756 | 62.213.67.190 | CARAVAN ISP "CARAVAN" 15833 | 62.233.237.195 | FUTURO-AS Futuro Poland Autono 15967 | 194.42.46.253 | NETART NetArt Autonomous Syste 16020 | 217.26.6.4 | TASCOM Tascom Autonomous Syste 16138 | 217.74.64.34 | INTERIAPL INTERIA.PL Autonomou 16676 | 208.169.221.37 | BARCHA Barchart.com, Inc. 16734 | 64.211.248.16 | SMARTB-8 Smartbasket.com 17054 | 216.146.237.140 | EXPEDI-6 e-xpedient 19024 | 64.74.96.249 | PNAP Internap Network Services 19422 | 200.58.141.81 | Movicom BellSouth 20519 | 217.168.64.50 | BALTNET BALTNET Autonomous Sys 20597 | 81.222.134.15 | ELTEL-AS ELTEL.net Autonomous 20712 | 81.187.187.15 | AS20712 Andrews + Arnold Ltd 20797 | 217.199.97.78 | IPASAULE-AS Interneta Pasaule 21123 | 193.109.91.133 | INCENTIAS INCENTI Autonomus Sy 21395 | 193.110.120.26 | TPI tp internet Sp. z o.o. 21480 | 80.250.64.62 | WBT-AS WestBalt Telecom networ 21844 | 69.93.35.242 | THEPL-1 THE PLANET 22653 | 66.154.18.166 | GLOBAL-369 Global Compass, Inc 22725 | 64.94.29.14 | NEWNET-1 New.net, Inc. 23343 | 66.234.224.13 | TRANSB-8 Transbeam Inc. 24587 | 194.246.114.46 | NL-IO Autonomous System for In 24626 | 81.18.138.2 | TTKNN-AS CJSC "TransTelecom-NN 24638 | 81.19.74.88 | RAMBLER-TELECOM-AS Rambler Tel 24930 | 81.31.7.83 | CECOM-AS CECOM Czech 25074 | 213.203.228.23 | INETBONE-AS INET-People Provid 25272 | 80.92.97.12 | SINSTELECOM-AS Autonomous Syst 25308 | 212.118.44.66 | CITYLAN-AS CityLanCom, ISP, Mo 26085 | 66.163.161.45 | YAOO Yahoo! 26201 | 208.185.127.160 | ABOUTC-1 About.com 26914 | 216.195.34.121 | GLOBA-10 Global Netoptex, Inc 29076 | 195.128.50.163 | HOSTER-RU-AS Hoster.RU autonom 29182 | 82.146.33.247 | ISPSYSTEM-AS ISPsystem Autonom 29314 | 82.139.8.2 | DAMINET-AS Telewizja Kablowa D 29339 | 195.137.212.24 | MBBG-AS Markus Bach Betriebs G 30968 | 195.208.235.68 | INFOBOX-AS Net of Alkor Ltd, h ------------ johannes ullrich, jullrich ..at.. sans.org -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 2:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists