lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: Corey.Hart at synopsys.com (Corey Hart)
Subject: (no subject)

>From incidents.org.  I appears to be a new W32/Bagel Variant.

Updated August 9th 2004 18:59 UTC (Handler: Jason Lam) 
* New Bagle (?) Variant Spreading
New Bagle Variant Spreading 

(PRELIMINARY) 

We received a number of reports about a new virus. Based on a quick string
analysis, we assume that this will be classified as a new member of the
'Bagle' family. Like prior versions, it includes a lengthy list of URLs.
Infected systems will likely attempt to contact these URLs. 

All samples received so far arrive without subject. Attachment names are
price2.zip, new__price.zip, 08_price.zip, and likely others. The text reads
'price' or 'new price'. 

According to handler Tom Liston, the virus installs itself as
C:\WINDOWS\System32\WINdirect.exe and runs from
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe 

Mitigation 

Temporarily quarantine or reject all ZIP attachments until AV vendors
release signatures. You may also want to monitor or block access to the URLs
listed below. Some AV programs do already identify this new version as
malware using generic signatures. 

AV Summary (fromhttp://www.virustotal.com ) 


BitDefender     7.0/20040809    found [JS.Dword.dropper]
ClamWin devel-20040727/20040809 found [Trojan.JS.RunMe]
eTrustAV-Inoc   4641/20040728   found [JScript/IE.VM.Exploit]
F-Prot  3.15/20040809   found nothing
Kaspersky       4.0.2.23/20040809       found nothing
McAfee  4383/20040804   found [JS/IllWill]
NOD32v2 1.835/20040806  found [Win32/IE.Dword unknown infection type
(Exploit)]
Norman  5.70.10/20040806        found [W32/Malware]
Panda   7.02.00/20040809        found [Fichero Sospechoso]
Sybari  7.5.1314/20040809       found [JScript/IE.VM.Exploit]
Symantec        8.0/20040808    found nothing
TrendMicro      7.000/20040804  found nothing
 

List of URLs (and respective IPs) 

Note: From past experience, only a small number of these sites is
compromised (if any at all) to update the virus. Most of the sites serve as
decoys. However, virus infected systems will access these sites and if you
for example use a web proxy, you may be able to find infected systems. 

We do not know if any of these sites are used to update the code, or if they
are just used to collect information about infected systems. 


 
http://polobeer.de/2.jpg
http://r2626r.de/2.jpg
http://kooltokyo.ru/2.jpg
http://mmag.ru/2.jpg
http://advm1.gm.fh-koeln.de/2.jpg
http://evadia.ru/2.jpg
http://megion.ru/2.jpg
http://molinero-berlin.de/2.jpg
http://dozenten.f1.fhtw-berlin.de/2.jpg
http://shadkhan.ru/2.jpg
http://sacred.ru/2.jpg
http://kypexin.ru/2.jpg
http://www.gantke-net.com/2.jpg
http://www.mcschnaeppchen.com/2.jpg
http://www.rollenspielzirkel.de/2.jpg
http://134.102.228.45/2.jpg
http://196.12.49.27/2.jpg
http://aus-Zeit.com/2.jpg
http://lottery.h11.ru/2.jpg
http://herzog.cs.uni-magdeburg.de/2.jpg
http://yaguark.h10.ru/2.jpg
http://213.188.129.72/2.jpg
http://thorpedo.us/2.jpg
http://szm.sk/2.jpg
http://lars-s.privat.t-online.de/2.jpg
http://www.no-abi2003.de/2.jpg
http://www.mdmedia.org/2.jpg
http://abi-2004.org/2.jpg
http://sovea.de/2.jpg
http://www.porta.de/2.jpg
http://matzlinger.com/2.jpg
http://pocono.ru/2.jpg
http://controltechniques.ru/2.jpg
http://alexey.pioneers.com.ru/2.jpg
http://momentum.ru/2.jpg
http://omegat.ru/2.jpg
http://www.perfectgirls.net/2.jpg
http://porno-mania.net/2.jpg
http://colleen.ai.net/2.jpg
http://ourcj.com/2.jpg
http://free.bestialityhost.com/2.jpg
http://slavarik.ru/2.jpg
http://burn2k.ipupdater.com/2.jpg
http://carabi.ru/2.jpg
http://spbbook.ru/2.jpg
http://binn.ru/2.jpg
http://sbuilder.ru/2.jpg
http://protek.ru/2.jpg
http://www.PlayGround.ru/2.jpg
http://celine.artics.ru/2.jpg
http://www.artics.ru/2.jpg
http://www.laserbuild.ru/2.jpg
http://www.lamatec.com/2.jpg
http://www.sensi.com/2.jpg
http://www.oldtownradio.com/2.jpg
http://www.youbuynow.com/2.jpg
http://64.62.172.118/2.jpg
http://www.tayles.com/2.jpg
http://dodgetheatre.com/2.jpg
http://www.thepositivesideofsports.com/2.jpg
http://www.bridesinrussia.com/2.jpg
http://fairy.dataforce.net/2.jpg
http://www.pakwerk.ru/2.jpg
http://home.profootball.ru/2.jpg
http://www.ankil.ru/2.jpg
http://www.ddosers.net/2.jpg
http://tarkosale.net/2.jpg
http://www.boglen.com/2.jpg
http://change.east.ru/2.jpg
http://www.teatr-estrada.ru/2.jpg
http://www.glass-master.ru/2.jpg
http://www.zeiss.ru/2.jpg
http://www.sposob.ru/2.jpg
http://www.glavriba.ru/2.jpg
http://alfinternational.ru/2.jpg
http://euroviolence.com/2.jpg
http://www.webronet.com/2.jpg
http://www.virtmemb.com/2.jpg
http://www.infognt.com/2.jpg
http://www.vivamedia.ru/2.jpg
http://www.zelnet.ru/2.jpg
http://www.dsmedia.ru/2.jpg
http://www.vendex.ru/2.jpg
http://www.elit-line.ru/2.jpg
http://pixel.co.il/2.jpg
http://www.milm.ru/2.jpg
http://dev.tikls.net/2.jpg
http://www.met.pl/2.jpg
http://www.strefa.pl/2.jpg
http://kafka.punkt.pl/2.jpg
http://www.rubikon.pl/2.jpg
http://www.neostrada.pl/2.jpg
http://werel1.web-gratis.net/2.jpg
http://www.tuhart.net/2.jpg
http://www.antykoncepcja.net/2.jpg
http://www.dami.com.pl/2.jpg
http://vip.pnet.pl/2.jpg
http://www.webzdarma.cz/2.jpg
http://emnesty.w.interia.pl/2.jpg
http://niebo.net/2.jpg
http://strony.wp.pl/2.jpg
http://sec.polbox.pl/2.jpg
http://www.phg.pl/2.jpg
http://emnezz.e-mania.pl/2.jpg
http://www.republika.pl/2.jpg
http://www.silesianet.pl/2.jpg
http://www.republika.pl/2.jpg
http://tdi-router.opola.pl/2.jpg
http://republika.pl/2.jpg
http://infokom.pl/2.jpg
http://silesianet.pl/2.jpg
http://terramail.pl/2.jpg
http://silesianet.pl/2.jpg
http://www.iluminati.kicks-ass.net/2.jpg
http://www.dilver.ru/2.jpg
http://www.yarcity.ru/2.jpg
http://www.scli.ru/2.jpg
http://www.elemental.ru/2.jpg
http://diablo.homelinux.com/2.jpg
http://www.interrybflot.ru/2.jpg
http://www.webpark.pl/2.jpg
http://www.rafani.cz/2.jpg
http://gutemine.wu-wien.ac.at/2.jpg
http://przeglad-tygodnik.pl/2.jpg
http://przeglad-tygodnik.pl/2.jpg
http://pb195.slupsk.sdi.tpnet.pl/2.jpg
http://www.ciachoo.pl/2.jpg
http://cavalierland.5u.com/2.jpg
http://www.nefkom.net/2.jpg
http://rausis.latnet.lv/2.jpg
http://www.hgr.de/2.jpg
http://www.airnav.com/2.jpg
http://www.astoria-stuttgart.de/2.jpg
http://ultimate-best-hgh.0my.net/2.jpg
http://wynnsjammer.proboards18.com/2.jpg
http://www.jewishgen.org/2.jpg
http://www.hack-gegen-rechts.com/2.jpg
http://host.wallstreetcity.com/2.jpg
http://quotes.barchart.com/2.jpg
http://www.aannemers-nederland.nl/2.jpg
http://www.sjgreatdeals.com/2.jpg
http://financial.washingtonpost.com/2.jpg
http://www.biratnagarmun.org.np/2.jpg
http://hsr.zhp.org.pl/2.jpg
http://traveldeals.sidestep.com/2.jpg
http://www.hbz-nrw.de/2.jpg
http://www.ifa-guide.co.uk/2.jpg
http://www.inversorlatino.com/2.jpg
http://www.zhp.gdynia.pl/2.jpg
http://host.businessweek.com/2.jpg
http://packages.debian.or.jp/2.jpg
http://www.math.kobe-u.ac.jp/2.jpg
http://www.k2kapital.com/2.jpg
http://www.tanzen-in-sh.de/2.jpg
http://www.wapf.com/2.jpg
http://www.hgrstrailer.com/2.jpg
http://www.forbes.com/2.jpg
http://www.oshweb.com/2.jpg
http://www.rumbgeo.ru/2.jpg
http://www.dicto.ru/2.jpg
http://www.busheron.ru/2.jpg
http://www.omnicom.ru/2.jpg
http://www.teleline.ru/2.jpg
http://www.dynex.ru/2.jpg
http://www.gamma.vyborg.ru/2.jpg
http://nominal.kaliningrad.ru/2.jpg
http://www.baltmatours.com/2.jpg
http://www.interfoodtd.ru/2.jpg
http://www.baltnet.ru/2.jpg
http://www.neprifan.ru/2.jpg
http://photo.gornet.ru/2.jpg
http://www.aktor.ru/2.jpg
http://catalog.zelnet.ru/2.jpg
http://www.sdsauto.ru/2.jpg
http://www.gradinter.ru/2.jpg
http://www.avant.ru/2.jpg
http://www.porsa.ru/2.jpg
http://www.taom-clan.de/2.jpg
http://www.perfectjewel.com/2.jpg
http://www.vrack.net/2.jpg
http://www.netradar.com/2.jpg
http://www.pgipearls.com/2.jpg
http://www.vconsole.net/2.jpg
http://www.ccbootcamp.com/2.jpg
http://host23.ipowerweb.com/2.jpg
http://www.timelessimages.com/2.jpg
http://www.peterstar.ru/2.jpg
http://www.5100.ru/2.jpg
http://www.gin.ru/2.jpg
http://www.rweb.ru/2.jpg
http://www.metacenter.ru/2.jpg
http://www.biysk.ru/2.jpg
http://www.free-time.ru/2.jpg
http://www.rastt.ru/2.jpg
http://www.chelny.ru/2.jpg
http://www.chat4adult.com/2.jpg
http://www.landofcash.net/2.jpg
http://relay.great.ru/2.jpg
http://www.kefaloniaresorts.com/2.jpg
http://www.epski.gr/2.jpg
http://www.myrtoscorp.com/2.jpg
http://www.aphel.de/2.jpg
http://www.intellect.lvc/2.jpg
http://www.abcdesign.ru/2.jpg
 
ASN's
 
680     | 139.6.57.1       | DFN-IP service G-WiN          
680     | 141.44.21.8      | DFN-IP service G-WiN          
680     | 141.45.186.7     | DFN-IP service G-WiN          
680     | 193.30.112.108   | DFN-IP service G-WiN          
702     | 194.172.67.203   | AS702 MCI EMEA - Commercial IP
702     | 194.175.222.203  | AS702 MCI EMEA - Commercial IP
1241    | 62.1.1.88        | FORTHNET-GR FORTHnet          
1776    | 137.208.3.39     | Wirtschaftsuniversitaet Wien  
2118    | 193.124.133.146  | RELCOM-AS RELCOM Autonomous Sy
2118    | 194.135.19.36    | RELCOM-AS RELCOM Autonomous Sy
2588    | 159.148.108.6    | LATNET                        
2828    | 207.155.252.18   | XOXO XO Communications        
2854    | 193.232.88.155   | ROSPRINT-AS RoSprint AS (Globa
2907    | 133.30.64.174    | ERX-SINET-AS National Center f
3209    | 82.82.222.142    | Arcor IP-Network              
3216    | 194.154.72.16    | SOVAM-AS Golden Telecom, Mosco
3216    | 194.186.45.233   | SOVAM-AS Golden Telecom, Mosco
3320    | 80.140.195.108   | Deutsche Telekom AG           
3320    | 80.142.224.214   | Deutsche Telekom AG           
3320    | 80.150.6.138     | Deutsche Telekom AG           
3356    | 62.67.235.172    | LEVEL3 Level 3 Communications 
3491    | 205.177.28.149   | CAIS CAIS Internet            
3561    | 64.14.68.249     | CWU Cable & Wireless USA      
4264    | 63.240.4.179     | CERFN California Education and
4436    | 69.22.176.213    | NLAYE nLayer Communications, I
4613    | 202.52.244.4     | MOS-NP Mercantile Office Syste
5616    | 193.192.163.30   | SATNET ASN                    
5617    | 195.116.39.25    | TPNET Polish Telecom's commerc
5617    | 195.117.150.132  | TPNET Polish Telecom's commerc
5617    | 213.25.234.195   | TPNET Polish Telecom's commerc
5617    | 217.97.186.5     | TPNET Polish Telecom's commerc
5617    | 80.53.119.186    | TPNET Polish Telecom's commerc
6405    | 64.156.241.160   | AI American Information Networ
6690    | 195.131.87.88    | WEBplus Ltd.                  
6714    | 217.197.68.34    | ATOMNET ATOM SA               
6724    | 192.67.198.52    | STRATO Strato AG              
6724    | 81.169.145.90    | STRATO Strato AG              
6731    | 82.204.131.6     | COMSTAR-AS COMSTAR Telecommuni
6850    | 212.119.181.130  | METROCOM-AS JSC "METROCOM"    
6855    | 212.5.219.3      | SK SLOVAK TELECOM, AS6855     
6939    | 64.62.155.238    | HURC Hurricane Electric       
7018    | 12.129.211.123   | ATTW AT&T WorldNet Services   
7201    | 66.54.130.236    | TELESC-7 Telescan, Inc.       
7332    | 204.180.42.17    | IQUEST IQuest Internet        
7880    | 198.137.221.35   | NEURAL-5 Neural Applications  
8001    | 207.99.96.49     | NAC-53 Net Access Corporation 
8001    | 216.118.85.172   | NAC-53 Net Access Corporation 
8246    | 217.153.166.2    | INTERNET-TECHNOLOGIES-POLSKA-A
8263    | 195.16.118.130   | PORTAL Portal Autonomous Syste
8342    | 195.161.113.7    | RTCOMM-AS RTComm.RU Autonomous
8342    | 217.107.222.118  | RTCOMM-AS RTComm.RU Autonomous
8342    | 81.176.64.92     | RTCOMM-AS RTComm.RU Autonomous
8359    | 62.118.251.84    | MTUONLINE MTU-Intel Moscow reg
8395    | 195.170.45.1     | EAST-AS East Telecom ISP Auton
8402    | 195.14.47.9      | CORBINA-AS Corbina telecom    
8402    | 62.205.161.217   | CORBINA-AS Corbina telecom    
8515    | 195.42.160.19    | DATAFORCE-AS DataForce        
8560    | 195.20.225.29    | SCHLUND-AS Schlund + Partner A
8560    | 212.227.127.212  | SCHLUND-AS Schlund + Partner A
8560    | 82.165.32.146    | SCHLUND-AS Schlund + Partner A
8888    | 212.22.88.39     | COMTAT-AS Comtat Inc. Autonomo
8905    | 212.34.32.4      | SITEK-AS Sitek Global Network 
9072    | 212.204.66.1     | AS9072 NEFkom Telekommunikatio
10316   | 216.55.177.49    | ABAC Abacus America Inc.      
10843   | 216.117.185.182  | AIT-9 Advanced Internet Techno
11766   | 216.23.217.130   | AISV Alpha Internet Services, 
12312   | 217.195.36.50    | TISCALI-DE Tiscali Business Gm
12314   | 212.42.38.194    | ROPNET-AS RopNet Autonomous Sy
12741   | 81.210.1.135     | INTERNETIA-AS Netia Commercial
12827   | 212.77.101.149   | WIRTUALNAPOLSKA Wirtualna Pols
12846   | 212.94.102.68    | AltaiTelecom Autonomous System
12990   | 213.180.128.160  | ONET-PL-AS1 Onet.pl portal net
13095   | 213.150.64.6     | CTK-NET-AS SeverTransCom Netwo
13237   | 217.71.171.55    | LAMBDANET-AS European Backbone
13237   | 81.209.148.231   | LAMBDANET-AS European Backbone
13749   | 207.44.240.78    | EVRY Everyones Internet, Inc. 
13749   | 216.127.68.127   | EVRY Everyones Internet, Inc. 
13749   | 216.40.226.29    | EVRY Everyones Internet, Inc. 
13749   | 66.98.164.63     | EVRY Everyones Internet, Inc. 
14744   | 63.251.163.112   | PNAP Internap Network Services
15031   | 216.138.240.196  | WIZN Wiznet Inc.              
15276   | 64.89.234.34     | INTUIT-21 Intuitive Logic     
15685   | 217.11.237.193   | AS15685 Casablanca INT Autonom
15726   | 217.14.162.3     | MARCANT-AS Marcant Internet Se
15756   | 217.23.157.183   | CARAVAN ISP "CARAVAN"         
15756   | 62.213.67.190    | CARAVAN ISP "CARAVAN"         
15833   | 62.233.237.195   | FUTURO-AS Futuro Poland Autono
15967   | 194.42.46.253    | NETART NetArt Autonomous Syste
16020   | 217.26.6.4       | TASCOM Tascom Autonomous Syste
16138   | 217.74.64.34     | INTERIAPL INTERIA.PL Autonomou
16676   | 208.169.221.37   | BARCHA Barchart.com, Inc.     
16734   | 64.211.248.16    | SMARTB-8 Smartbasket.com      
17054   | 216.146.237.140  | EXPEDI-6 e-xpedient           
19024   | 64.74.96.249     | PNAP Internap Network Services
19422   | 200.58.141.81    | Movicom BellSouth             
20519   | 217.168.64.50    | BALTNET BALTNET Autonomous Sys
20597   | 81.222.134.15    | ELTEL-AS ELTEL.net Autonomous 
20712   | 81.187.187.15    | AS20712 Andrews + Arnold Ltd  
20797   | 217.199.97.78    | IPASAULE-AS Interneta Pasaule 
21123   | 193.109.91.133   | INCENTIAS INCENTI Autonomus Sy
21395   | 193.110.120.26   | TPI tp internet Sp. z o.o.    
21480   | 80.250.64.62     | WBT-AS WestBalt Telecom networ
21844   | 69.93.35.242     | THEPL-1 THE PLANET            
22653   | 66.154.18.166    | GLOBAL-369 Global Compass, Inc
22725   | 64.94.29.14      | NEWNET-1 New.net, Inc.        
23343   | 66.234.224.13    | TRANSB-8 Transbeam Inc.       
24587   | 194.246.114.46   | NL-IO Autonomous System for In
24626   | 81.18.138.2      | TTKNN-AS CJSC "TransTelecom-NN
24638   | 81.19.74.88      | RAMBLER-TELECOM-AS Rambler Tel
24930   | 81.31.7.83       | CECOM-AS CECOM Czech          
25074   | 213.203.228.23   | INETBONE-AS INET-People Provid
25272   | 80.92.97.12      | SINSTELECOM-AS Autonomous Syst
25308   | 212.118.44.66    | CITYLAN-AS CityLanCom, ISP, Mo
26085   | 66.163.161.45    | YAOO Yahoo!                   
26201   | 208.185.127.160  | ABOUTC-1 About.com            
26914   | 216.195.34.121   | GLOBA-10 Global Netoptex, Inc 
29076   | 195.128.50.163   | HOSTER-RU-AS Hoster.RU autonom
29182   | 82.146.33.247    | ISPSYSTEM-AS ISPsystem Autonom
29314   | 82.139.8.2       | DAMINET-AS Telewizja Kablowa D
29339   | 195.137.212.24   | MBBG-AS Markus Bach Betriebs G
30968   | 195.208.235.68   | INFOBOX-AS Net of Alkor Ltd, h
 

------------
johannes ullrich, jullrich ..at.. sans.org 


-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Jonathan
Grotegut
Sent: Monday, August 09, 2004 2:04 PM
To: Full-disclosure
Subject: RE: [Full-Disclosure] (no subject)


(In regards to new_price.zip file attachment)

Anyone have any idea what this is, we had some clients just get pretty hard
with this email.  I am unable to find anything on it, from my VERY Limited
knowledge it appears to be a virus exploiting one of the many holes in IE.
Anyone else see anything on this yet?

Jonathan Grotegut

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists