New Bagle Variant Spreading
New Bagle Variant Spreading
There is a new Bagle mass-mailing virus variant on the loose.
Attachment may contain one of the following file names,
price.zip
price2.zip
price_new.zip
price_08.zip
08_price.zip
newprice.zip
new_price.zip
new__price.zip
According to handler Tom Liston, the virus installs itself as C:\WINDOWS\System32\WINdirect.exe and runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe
Mitigation
The virus download part of itself from a list of known websites. Blocking the following site at your perimeter can mitigate the risk of this virus
AV vendors have created signatures for this Bagle variant.
Mcafee: Bagle.aq
Trendmicro: Bagle.ac
Symantec: Bagle.ao
Snort signature for this virus is also available on Bleeding Snort (submitted by Matt Jonkman). http://www.bleedingsnort.com
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; reference:url,http.isc.sans.org/diary.php?date=2004-08-09; content:"GET /2.jpg"; sid:2001061; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Checking In"; reference:url,vil.nai.com/vil/content/v_127423.htm; uricontent:"/spyware.php"; sid:2001064; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Bagle.AQ Worm Outbound"; content:"filename="; pcre:"m/(price2|new_price|08_price|newprice|new_price|price_new|price|price_08).zip/"; nocase; sid:2001065; rev:1;)
Microsoft Windows XP SP2 is out!
Microsoft has release Service Pack 2 for Windows XP. It not only is a cumculative patch for XP, but also add additional functionalities to Windows XP, this include many security features (such as firewall, IE security)
For the new features:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx
Information on SP2:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx
AOL Instant Messenger URI Handler Buffer Overflow
A vulnerability exists in AIM, it is caused by a stack based buffer overflow in the handling of "away" messages. Successful exploitation allows malicious code to be run on the user's system.
The vulnerability has been confirmed in version 5.5.3595. Other versions may also be affected. Mitigation includes upgrading to the latest beta version of AIM software or to use the workaround posted on www.aim.com
References:
http://secunia.com/advisories/12198/
http://www.aim.com/help_faq/security/faq.adp?aolp=
------------
Jason Lam, jason /at/ networksec.org
There is a new Bagle mass-mailing virus variant on the loose.
Attachment may contain one of the following file names,
price.zip
price2.zip
price_new.zip
price_08.zip
08_price.zip
newprice.zip
new_price.zip
new__price.zip
According to handler Tom Liston, the virus installs itself as C:\WINDOWS\System32\WINdirect.exe and runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe
Mitigation
The virus download part of itself from a list of known websites. Blocking the following site at your perimeter can mitigate the risk of this virus
http://polobeer.de/2.jpg
http://www.no-abi2003.de/2.jpg
AV vendors have created signatures for this Bagle variant.
Mcafee: Bagle.aq
Trendmicro: Bagle.ac
Symantec: Bagle.ao
Snort signature for this virus is also available on Bleeding Snort (submitted by Matt Jonkman). http://www.bleedingsnort.com
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; reference:url,http.isc.sans.org/diary.php?date=2004-08-09; content:"GET /2.jpg"; sid:2001061; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Checking In"; reference:url,vil.nai.com/vil/content/v_127423.htm; uricontent:"/spyware.php"; sid:2001064; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Bagle.AQ Worm Outbound"; content:"filename="; pcre:"m/(price2|new_price|08_price|newprice|new_price|price_new|price|price_08).zip/"; nocase; sid:2001065; rev:1;)
Microsoft Windows XP SP2 is out!
Microsoft has release Service Pack 2 for Windows XP. It not only is a cumculative patch for XP, but also add additional functionalities to Windows XP, this include many security features (such as firewall, IE security)
For the new features:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx
Information on SP2:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx
AOL Instant Messenger URI Handler Buffer Overflow
A vulnerability exists in AIM, it is caused by a stack based buffer overflow in the handling of "away" messages. Successful exploitation allows malicious code to be run on the user's system.
The vulnerability has been confirmed in version 5.5.3595. Other versions may also be affected. Mitigation includes upgrading to the latest beta version of AIM software or to use the workaround posted on www.aim.com
References:
http://secunia.com/advisories/12198/
http://www.aim.com/help_faq/security/faq.adp?aolp=
------------
Jason Lam, jason /at/ networksec.org
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago