Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-05-31 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Virus Tuesday: New Bagels, New Mytob. ; qmail pop3 64bit issues

Published: 2005-05-31
Last Updated: 2005-05-31 19:18:51 UTC
by Erik Fichtner (Version: 1)
0 comment(s)

New Bagel Virus(es?)

We have received a few reports that readers are receiving what appears to be
a new version of the Bagle virus in email this morning. The attachments
(so far) appear to be named as a single digit number zip file
(eg: "" or "") as a string (eg: "") with a
payload of "16_05_2005.exe" or "19_04_2005.exe". The .zip file is
approximately 18k and is 36352 when extracted. Upon execution, this file
will be copied to C:\WINDOWS\System32\winshost.exe
and will then drop another 11k file into

The registry key HKLM/Software/Microsoft/Windows/Current Version/Run is then updated to execute this winshost.exe file at boot.
The laudable VirusTotal has the following to say about the matter:

AntiVir 05.31.2005 Worm/Bagle.gen
AVG 718 05.31.2005 no virus found
Avira 05.31.2005 Worm/Bagle.gen
BitDefender 7.0 05.31.2005 Win32.Bagle.BO@mm
ClamAV devel-20050501 05.31.2005 Worm.Bagle.BB-gen
DrWeb 4.32b 05.31.2005 no virus found
eTrust-Iris 05.31.2005 no virus found
eTrust-Vet 05.31.2005 no virus found
Fortinet 05.30.2005 W32/Mitglieder.CD.gen-tr
Ikarus 2.32 05.31.2005 no virus found
Kaspersky 05.31.2005 no virus found
McAfee 4502 05.30.2005 no virus found
NOD32v2 1.1116 05.31.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 05.30.2005 W32/Downloader
Panda 8.02.00 05.30.2005 Suspect File
Sybari 7.5.1314 05.31.2005 Troj/BagDl-Gen
Symantec 8.0 05.30.2005 Trojan.Tooso.B
VBA32 3.10.3 05.31.2005 suspected of Worm.Bagle.3

Kaspersky Labs have also posted MD5 hashes for these variants at

The two hashes are: f4271a7bd37b7502ecab0ec2964d87c6 and

New Mytob Virus

We're also getting reports of a new Mytob virus. It appears that this
one may be exploiting the MS05-016 vulnerability, as described in this
bugtraq posting:

Signature updates are starting to show up and catch this:

AntiVir 05.31.2005 Worm/Mytob.ED
AVG 718 05.31.2005 no virus found
Avira 05.31.2005 Worm/Mytob.ED
BitDefender 7.0 05.31.2005 Win32.Worm.Mytob.BC
ClamAV devel-20050501 05.31.2005 Worm.Mytob.AS
DrWeb 4.32b 05.31.2005 Win32.HLLM.MyDoom.44
eTrust-Iris 05.31.2005 Win32/Mytob.BC!Worm
eTrust-Vet 05.31.2005 no virus found
Fortinet 05.31.2005 W32/MyTob.BC-mm
Ikarus 2.32 05.31.2005 no virus found
Kaspersky 05.31.2005 Net-Worm.Win32.Mytob.bc
McAfee 4502 05.30.2005 no virus found
NOD32v2 1.1116 05.31.2005 Win32/Mytob.DC
Norman 5.70.10 05.30.2005 no virus found
Panda 8.02.00 05.31.2005 W32/Mytob.DW.worm
Sybari 7.5.1314 05.31.2005 Net-Worm.Win32.Mytob.bc
Symantec 8.0 05.30.2005 no virus found
VBA32 3.10.3 05.31.2005 suspected of I-Worm (double extension)


qmail pop3d remote root exploit (64 BIT ONLY)

The amazing Georgi Guninski has discovered an issue within qmail's pop3
daemon where it is subject to an integer overflow when built on 64 bit
platforms with greater than 8GB of addressable memory. 32 bit platforms
are not affected. Exploit code has been publically released, patches have
not. The few of you running vulnerable systems may want to keep a close
watch on this issue. I find that I cannot reccomend switching software
as I fully expect this sort of 32/64bit overflow bug to be found in many
more places in the future.
0 comment(s)
Diary Archives