Monday, September 19, 2005

New Bagle Making the Rounds Update

I blogged about a new Beagle variant in the wild last Monday. SANS has posted an update today:
New Bagle Making the Rounds? (NEW)
Published: 2005-09-19,
Last Updated: 2005-09-19 16:13:56 UTC by Tom Liston (Version: 9(click to highlight changes))

It looks like there is a new Bagle variant making the rounds. The (preliminary) information that we have is:

* The file arrives as a zipped attachment with a filename including the word "price" (price.zip, price2.zip newprice.zip, 09_price.zip, etc...).
* Creates two files: C:\WINDOWS\system32\winshost.exe and C:\WINDOWS\system32\wiwshost.exe
* Launches winshost.exe from the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key
* This has been classified (by at least one AV vendor) as: TROJ/BAGLEDL-U

While you're waiting for your AV signatures to catch up, you might want to try the following snort sig submitted by ISC reader Mark T (Thank you, Mark!):

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"VIRUS Bagle.CJ SMTP Inbound"; flow:to_server,established; content:"UEsDBBQAAAA"; content:"EEkIAAAG"; distance:12; within:20; reference:url,isc.sans.org/diary.php?date=2005-09-19; classtype: trojan-activity; sid: 15239638; rev:1;)

An alternate snort rule (provided by the folks at Bleeding Edge):

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Possible Bagle.AQ Worm Outbound"; flow: to_server,established; content:"filename="; nocase; pcre:"m/(price2|new_price|08_price|09_price|newprice|new_price|price_new|price|price_08).zip/"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html; sid: 2001065; rev:6; )

0 Comments:

Post a Comment

<< Home