FW: ** [QAW-VAWU-AW34] Virus sample submitted from the Sophos website
From: Hayden Searle (hayden.searle_at_safecom.co.nz)
Date: 06/29/05
- Previous message: Ansgar -59cobalt- Wiechers: "Re: New Virus?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Jun 2005 12:44:05 +1200 To: <security-basics@securityfocus.com>, "Distribution SSC DL Operations" <ops@safecom.co.nz>, "Mike Seddon" <Mike.Seddon@safecom.co.nz>
-----Original Message-----
From: samples@sophos.com.au [mailto:samples@sophos.com.au]
Sent: Wednesday, 29 June 2005 12:38 p.m.
To: Hayden Searle
Subject: Re: ** [QAW-VAWU-AW34] Virus sample submitted from the Sophos
website
Please quote [QAW-VAWU-AW34] in the subject line of any further
correspondence related to this query.
Hi
Thank you for contacting Sophos Technical Support.
The sample e-mail you have sent in for analysis does contain the virus
Troj/BagleDl-R.
Troj/BagleDl-R is a downloader Trojan which will download, install and
run new software without notification that it is doing so.
Troj/BagleDl-R includes functionality to:
- inject its code into EXPLORER.EXE
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security
related applications Troj/BagleDl-R then attempts to download files from
remote websites and run them.
Troj/BagleDl-R may also run MSPAINT.EXE in an attempt to obfuscate
itself.
To remove the Virus/Trojan please visit the Sophos website and download
the latest IDE files from the below URL:
http://www.sophos.com/virusinfo/analyses/trojbagledlr.html
For manual removal refer to below link under recovery:
http://www.sophos.com/virusinfo/analyses/trojbagledlr.html
Regards,
> The following virus sample was submitted on:
> Tue Jun 28 22:03:28 2005
>
________________________________________________________________________
________
>
> Name: Hayden Searle
> Telephone: 6493633166
> Email: hayden.searle@safecom.co.nz
> Country: New Zealand
> Company: Telecom New Zealand
> Operating system(s): Windows XP Professional OS language(s): English
> Why do you want to send a sample?:
> File was sent with suspicious headers and an exe file was contained in
> a
zip
> file. this file was run on an XP workstation and produced a memory
overflow
> message for explorer.exe immediately.
>
>
>
________________________________________________________________________
________
>
>
>
>
> Document ID: F2FBAA3392292A878025702E0079680C The following
> attachments have been removed:
>
> original.zip 21494 Bytes
>
>
> Attachments automatically sent for checking at 23:08:40 on 28/06/2005
-- George Argyropoulos Technical Support Engineer, Sophos Tel: 02 9409 9111 Web: www.sophos.com.au Protecting businesses against viruses and spam worldwide ##################################################################################### Important: This electronic message and attachments (if any) are confidential and may be legally privileged. If you are not the intended recipient do not copy, disclose or use the contents in any way. Please let us know by return e-mail immediately and then destroy this message. #####################################################################################
- Previous message: Ansgar -59cobalt- Wiechers: "Re: New Virus?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
