[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] New virus
- To: "Full-disclosure" <full-disclosure@xxxxxxxxxx>
- Subject: Re: [Full-Disclosure] New virus
- From: alan@xxxxxxxxxxx (Alan J. Wylie)
- Date: 09 Aug 2004 20:58:51 +0100
On Mon, 9 Aug 2004 13:03:54 -0600, "Jonathan Grotegut"
<jgrotegut@xxxxxxxxxxxxxxxx> said:
> (In regards to new_price.zip file attachment) Anyone have any idea
> what this is, we had some clients just get pretty hard with this
> email. I am unable to find anything on it, from my VERY Limited
> knowledge it appears to be a virus exploiting one of the many holes
> in IE. Anyone else see anything on this yet?
ClamAV picked it up quickly - a freshclam at Aug 9 17:54 UCT included
its signature, after the first two to hit me didn't get trapped.
<http://isc.sans.org/diary.php?date=2004-08-09>
<cite>
Handler's Diary August 9th 2004
Updated August 9th 2004 18:59 UTC
* New Bagle (?) Variant Spreading
New Bagle Variant Spreading
(PRELIMINARY)
We received a number of reports about a new virus. Based on a
quick string analysis, we assume that this will be classified as a
new member of the 'Bagle' family. Like prior versions, it includes
a lengthy list of URLs. Infected systems will likely attempt to
contact these URLs.
All samples received so far arrive without subject. Attachment
names are price2.zip, new__price.zip, 08_price.zip, and likely
others. The text reads 'price' or 'new price'.
According to handler Tom Liston, the virus installs itself as
C:\WINDOWS\System32\WINdirect.exe and runs from
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe
</cite>
--
Alan J. Wylie http://www.wylie.me.uk/
"Perfection [in design] is achieved not when there is nothing left to add,
but rather when there is nothing left to take away."
-- Antoine de Saint-Exupery
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html