lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: alan at wylie.me.uk (Alan J. Wylie) Subject: New virus On Mon, 9 Aug 2004 13:03:54 -0600, "Jonathan Grotegut" <jgrotegut@...ectpointe.com> said: > (In regards to new_price.zip file attachment) Anyone have any idea > what this is, we had some clients just get pretty hard with this > email. I am unable to find anything on it, from my VERY Limited > knowledge it appears to be a virus exploiting one of the many holes > in IE. Anyone else see anything on this yet? ClamAV picked it up quickly - a freshclam at Aug 9 17:54 UCT included its signature, after the first two to hit me didn't get trapped. <http://isc.sans.org/diary.php?date=2004-08-09> <cite> Handler's Diary August 9th 2004 Updated August 9th 2004 18:59 UTC * New Bagle (?) Variant Spreading New Bagle Variant Spreading (PRELIMINARY) We received a number of reports about a new virus. Based on a quick string analysis, we assume that this will be classified as a new member of the 'Bagle' family. Like prior versions, it includes a lengthy list of URLs. Infected systems will likely attempt to contact these URLs. All samples received so far arrive without subject. Attachment names are price2.zip, new__price.zip, 08_price.zip, and likely others. The text reads 'price' or 'new price'. According to handler Tom Liston, the virus installs itself as C:\WINDOWS\System32\WINdirect.exe and runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe </cite> -- Alan J. Wylie http://www.wylie.me.uk/ "Perfection [in design] is achieved not when there is nothing left to add, but rather when there is nothing left to take away." -- Antoine de Saint-Exupery
Powered by blists - more mailing lists