Re: [Full-Disclosure] New Virus under way ...

[Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>]

"Richard" <guruban@xxxxxxxxxx> wrote:

> Looks to be the latest in the Bagle / Beagle family. Symantec have got it
> as the W32.Beagle.O@mm, discovered March 18 10:00

Yes -- there is huge naming confusion with the Bagles.

This is partly because of similarities between some Bagle variants and 
some of the Mitglieder proxy Trojans and some vendors choosing Bagle 
variant slots for what are "really" Mitglieders.  It's also partly due 
to some vendors not reporting as the  same variant what are really the 
same variants packed with different runtime decompressors.

However, the rash of new Bagle variants "last night" (for me) allowed 
us to synchronize variant names at Bagle.R (unfortunately Symantec and 
perhaps a few others had already named what most now have as Bagle.Q, 
so there may be a small amount of confusion over that variant).  Also 
note that the forms of the Email messsages sent by Bagle.Q, .R, .S & .T 
are identical, as these messages do not carry a copy of the virus.  
Which variant the victim actually gets depends on what the machine at 
the IP in the victim's message is serving up when the victim's browser 
goes asking.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html