lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <69238072156.20040126122955@tolna.net>
Date: Mon, 26 Jan 2004 12:29:55 +0100
From: Papp Geza <pappgeza@...na.net>
To: Gadi Evron <ge@...tistical.reprehensible.net>
Cc: Sylvain Robitaille <syl@...or.concordia.ca>, bugtraq@...urityfocus.com,
   full-disclosure@...ts.netsys.com
Subject: News from Bagle worm


Hy,
News from :Win32/Bagle.A

Own experiences:
The worm is launched, it copies itself into the Windows directory and
attempts to download and launch Mitglieder, a Trojan proxy server, on
the infected machine. This proxy server allows the 'master' to use the
infected machine as a platform to send more copies of the malicious
code. Currently, all links to Internet sources for downloading Mitglieder
are deleted. Thus, I-Worm.Bagle cannot use this technology to increase
propagation speed. As a result, at this time, I-Worm.Bagle is using a
technique standard for Trojan programs. Bagle scans the file system on
infected machines for files with extensions wab, txt, htm and r1. The
worm then sends copies of itself to all email addresses that it uncovers,
using a built in SMTP server. The worm backdoor functionality opens port
6777 ready to accept incoming connections from a remote user, giving
unauthorized access to an affected machine, however, this does not
appear to function properly.
If the worm does not make way leaf, at that time lies going over also
the regional network. Infection activity's time allocated - the worm is
active only if the system date is set to be prior January 28 th 2004.
Therefore his several time is, how able change the system time other
date. This is substantial, that activity worm. Antivirus detects programme
the start the system time false stood through ahead of what the worm him.
This deviates routine, warrants dared ahead of the worm every other detrimental
activity that, so that is for a long time active. This dared interesting that,
instead of him that, so that worm would close, for the first time anti virus
programme off, system makes longer own activism time's modification, may not
be his rise.. That way worm gets the several time, so that is able that, so
that the anti virus neutralises programme, all of system viruses' gainst
protection how.




-- 
Üdvözlettel,
  Geysap                             mailto:pappgeza@...na.net

www.gyik.com
"VIRUS CORE TEAM"
====================================
Fiat justitia, pereat mundus!
------------------------------------
we protect your digital worlds... 
====================================

















 

 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ