Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-05-31 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Virus Tuesday: New Bagels, New Mytob. ; qmail pop3 64bit issues

Published: 2005-05-31
Last Updated: 2005-05-31 19:18:51 UTC
by Erik Fichtner (Version: 1)
0 comment(s)

New Bagel Virus(es?)



We have received a few reports that readers are receiving what appears to be
a new version of the Bagle virus in email this morning. The attachments
(so far) appear to be named as a single digit number zip file
(eg: "5.zip" or "7.zip") as a string (eg: "Be_not_jealous.zip") with a
payload of "16_05_2005.exe" or "19_04_2005.exe". The .zip file is
approximately 18k and is 36352 when extracted. Upon execution, this file
will be copied to C:\WINDOWS\System32\winshost.exe
and will then drop another 11k file into
C:\WINDOWS\System32\wiwshost.exe

The registry key HKLM/Software/Microsoft/Windows/Current Version/Run is then updated to execute this winshost.exe file at boot.
The laudable VirusTotal has the following to say about the matter:


AntiVir 6.30.0.15 05.31.2005 Worm/Bagle.gen
AVG 718 05.31.2005 no virus found
Avira 6.30.0.15 05.31.2005 Worm/Bagle.gen
BitDefender 7.0 05.31.2005 Win32.Bagle.BO@mm
ClamAV devel-20050501 05.31.2005 Worm.Bagle.BB-gen
DrWeb 4.32b 05.31.2005 no virus found
eTrust-Iris 7.1.194.0 05.31.2005 no virus found
eTrust-Vet 11.9.1.0 05.31.2005 no virus found
Fortinet 2.27.0.0 05.30.2005 W32/Mitglieder.CD.gen-tr
Ikarus 2.32 05.31.2005 no virus found
Kaspersky 4.0.2.24 05.31.2005 no virus found
McAfee 4502 05.30.2005 no virus found
NOD32v2 1.1116 05.31.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 05.30.2005 W32/Downloader
Panda 8.02.00 05.30.2005 Suspect File
Sybari 7.5.1314 05.31.2005 Troj/BagDl-Gen
Symantec 8.0 05.30.2005 Trojan.Tooso.B
VBA32 3.10.3 05.31.2005 suspected of Worm.Bagle.3


Kaspersky Labs have also posted MD5 hashes for these variants at
http://www.viruslist.com/en/weblog?weblogid=164687745


The two hashes are: f4271a7bd37b7502ecab0ec2964d87c6 and
71379e8529c54c80ead31f5499e3406b

New Mytob Virus



We're also getting reports of a new Mytob virus. It appears that this
one may be exploiting the MS05-016 vulnerability, as described in this
bugtraq posting:
http://www.securityfocus.com/archive/1/399420/2005-05-28/2005-06-03/0

Signature updates are starting to show up and catch this:


AntiVir 6.30.0.15 05.31.2005 Worm/Mytob.ED
AVG 718 05.31.2005 no virus found
Avira 6.30.0.15 05.31.2005 Worm/Mytob.ED
BitDefender 7.0 05.31.2005 Win32.Worm.Mytob.BC
ClamAV devel-20050501 05.31.2005 Worm.Mytob.AS
DrWeb 4.32b 05.31.2005 Win32.HLLM.MyDoom.44
eTrust-Iris 7.1.194.0 05.31.2005 Win32/Mytob.BC!Worm
eTrust-Vet 11.9.1.0 05.31.2005 no virus found
Fortinet 2.27.0.0 05.31.2005 W32/MyTob.BC-mm
Ikarus 2.32 05.31.2005 no virus found
Kaspersky 4.0.2.24 05.31.2005 Net-Worm.Win32.Mytob.bc
McAfee 4502 05.30.2005 no virus found
NOD32v2 1.1116 05.31.2005 Win32/Mytob.DC
Norman 5.70.10 05.30.2005 no virus found
Panda 8.02.00 05.31.2005 W32/Mytob.DW.worm
Sybari 7.5.1314 05.31.2005 Net-Worm.Win32.Mytob.bc
Symantec 8.0 05.30.2005 no virus found
VBA32 3.10.3 05.31.2005 suspected of I-Worm (double extension)


------------

qmail pop3d remote root exploit (64 BIT ONLY)



The amazing Georgi Guninski has discovered an issue within qmail's pop3
daemon where it is subject to an integer overflow when built on 64 bit
platforms with greater than 8GB of addressable memory. 32 bit platforms
are not affected. Exploit code has been publically released, patches have
not. The few of you running vulnerable systems may want to keep a close
watch on this issue. I find that I cannot reccomend switching software
as I fully expect this sort of 32/64bit overflow bug to be found in many
more places in the future.
Keywords:
0 comment(s)
Diary Archives