Re: New Mass Mailer Virus

From: Thor (thor_at_hammerofgod.com)
Date: 08/10/04

  • Next message: Jyri Hovila: "Re: New Mass Mailer Virus" 
    To: "Jeff pRICHER" <jeffpricher@yahoo.com>, <incidents@securityfocus.com>
Date: Mon, 9 Aug 2004 16:06:20 -0700

    Just to update-- Trend's pattern file 1.953.00, (of OfficeScan) updated
    today, does in fact catch price.exe as a virus, and identifies it as
    Bagel.AC.

    Looks like my "BargainBuddy" information is either outdated, or the Bagle
    reference is not entirely correct. I assume the previous, though.

    t

    ----- Original Message -----
    From: "Thor" <thor@hammerofgod.com>
    To: "Jeff pRICHER" <jeffpricher@yahoo.com>; <incidents@securityfocus.com>
    Sent: Monday, August 09, 2004 3:34 PM
    Subject: Re: New Mass Mailer Virus

    > This one's not being caught by AV (trend, anyway) -- The zip file appears
    to
    > have a randomized integer appended to the name. I've seen both price2.zip
    > and price_8.zip Looks like Price.htm checks browser settings and does a
    > document.write to install under IE with
    > CLSID:018B7EC3-EECA-11d3-8E71-0000E82C6C0D- if netscape and launches and
    > installs trigger.UpdateEnabled then it uses the
    trigger.startsoftwareupdate
    > method.
    >
    > However, I show that as adware/spyware, not a Bagle variant...
    BargainBuddy,
    > specifically. However, it does have probably a 100 web sites hard-coded
    > into the exe that try to pull up www.domain.com/2.jpg. It is always 2.jpg
    > looks like, but I was not able to get to that file on any of the
    referenced
    > sites- got 404's on all but one, where I got " The image
    > "http://www.dynex.ru/2.jpg" cannot be displayed, because it contains
    errors.
    > "
    >
    > Just cursory observations...
    > T
    >
    >
    >
    > ----- Original Message -----
    > From: "Jeff pRICHER" <jeffpricher@yahoo.com>
    > To: <incidents@securityfocus.com>
    > Sent: Monday, August 09, 2004 2:19 PM
    > Subject: New Mass Mailer Virus
    >
    >
    > >
    > >
    > > Looks like a new Bagle variant is one the loose. I saw several hundred
    in
    > my SMTP filter so far today. They have been arriving in a zip file with
    > price.exe and price.html as the payload. It took some digging to find any
    > information on the web for this and so far the best I've found is from
    SANS
    > and can be read here http://isc.sans.org/
    > >
    > >
    >

  • Next message: Jyri Hovila: "Re: New Mass Mailer Virus"