Re: New Mass Mailer Virus

From: Thor (
Date: 08/10/04

  • Next message: Jyri Hovila: "Re: New Mass Mailer Virus"
    To: "Jeff pRICHER" <>, <>
    Date: Mon, 9 Aug 2004 16:06:20 -0700

    Just to update-- Trend's pattern file 1.953.00, (of OfficeScan) updated
    today, does in fact catch price.exe as a virus, and identifies it as

    Looks like my "BargainBuddy" information is either outdated, or the Bagle
    reference is not entirely correct. I assume the previous, though.


    ----- Original Message -----
    From: "Thor" <>
    To: "Jeff pRICHER" <>; <>
    Sent: Monday, August 09, 2004 3:34 PM
    Subject: Re: New Mass Mailer Virus

    > This one's not being caught by AV (trend, anyway) -- The zip file appears
    > have a randomized integer appended to the name. I've seen both
    > and Looks like Price.htm checks browser settings and does a
    > document.write to install under IE with
    > CLSID:018B7EC3-EECA-11d3-8E71-0000E82C6C0D- if netscape and launches and
    > installs trigger.UpdateEnabled then it uses the
    > method.
    > However, I show that as adware/spyware, not a Bagle variant...
    > specifically. However, it does have probably a 100 web sites hard-coded
    > into the exe that try to pull up It is always 2.jpg
    > looks like, but I was not able to get to that file on any of the
    > sites- got 404's on all but one, where I got " The image
    > "" cannot be displayed, because it contains
    > "
    > Just cursory observations...
    > T
    > ----- Original Message -----
    > From: "Jeff pRICHER" <>
    > To: <>
    > Sent: Monday, August 09, 2004 2:19 PM
    > Subject: New Mass Mailer Virus
    > >
    > >
    > > Looks like a new Bagle variant is one the loose. I saw several hundred
    > my SMTP filter so far today. They have been arriving in a zip file with
    > price.exe and price.html as the payload. It took some digging to find any
    > information on the web for this and so far the best I've found is from
    > and can be read here
    > >
    > >

  • Next message: Jyri Hovila: "Re: New Mass Mailer Virus"