Another Bagle Worm Variation

[Dale]

I received a variation of the Bagle worm todat that Kaspersky beta
v5.0 did not recognize, either as an email attachment nor direct scan
of the file. I own copies of Nod32 v2.0 and F-Prot for Windows (XP);
F-Prot didn't recognise it, but Nod32 did. Nod32 deleted the file,so
I couldn't forward to Frisk or Kaspersky.

I made certain that all AVP's were at the latest level. The result
really surprised me. The email message text, with my ISP's name X'ed
out was:

The email message text, with my ISP's name X'ed out was:
================================================
Dear user of e-mail server "XXXXXXX.com",

We warn you about some attacks on your e-mail account. Your
computer may contain viruses, in order to keep your computer and
e-mail account safe, please, follow the instructions.

For further details see the attach.

For security reasons attached file is password protected. The
password is "22073".

Have a good day,
The XXXXXXXX.com team
http://www.xxxxxxx.com
===============================================
Dale

 

[null]

I received a variation of the Bagle worm todat that Kaspersky beta
v5.0 did not recognize, either as an email attachment nor direct scan
of the file. I own copies of Nod32 v2.0 and F-Prot for Windows (XP);
F-Prot didn't recognise it, but Nod32 did. Nod32 deleted the file,so
I couldn't forward to Frisk or Kaspersky.

I hope you learned a lesson. It's never wise to have a av set to
delete or clean until you find out what's going on.


Art
http://www.epix.net/~artnpeg

 

[Boyd Williston]

I received a variation of the Bagle worm todat that Kaspersky beta
v5.0 did not recognize, either as an email attachment nor direct scan
of the file. I own copies of Nod32 v2.0 and F-Prot for Windows (XP);
F-Prot didn't recognise it, but Nod32 did. Nod32 deleted the file,so
I couldn't forward to Frisk or Kaspersky.

I made certain that all AVP's were at the latest level. The result
really surprised me. The email message text, with my ISP's name X'ed
out was:

The email message text, with my ISP's name X'ed out was:
================================================
Dear user of e-mail server "XXXXXXX.com",

We warn you about some attacks on your e-mail account. Your
computer may contain viruses, in order to keep your computer and
e-mail account safe, please, follow the instructions.

For further details see the attach.

For security reasons attached file is password protected. The
password is "22073".

Have a good day,
The XXXXXXXX.com team
http://www.xxxxxxx.com
===============================================
Dale

Almost certainly bagle.j, which has been documented on web sites since 02
March. See http://vil.nai.com/vil/content/v_101071.htm

 

[Dale]

That was what Nod32 called it.

 

[Dale]

I hope you learned a lesson. It's never wise to have a av set to
delete or clean until you find out what's going on.


Art
http://www.epix.net/~artnpeg

So I learned, although I'm still surprised that neither Kaspersky nor
F-Prot recognized it.

Dale

 

[Jeffrey A. Setaro]

So I learned, although I'm still surprised that neither Kaspersky nor
F-Prot recognized it.

When was the last time you updated F-Prot or KAV? Kaspersky Labs has
been releasing 2-4 updates a day for the last couple of weeks. Frisk
released two updates for F-Prot today.

--
Cheers-

Jeff Setaro
jasetaro <at> mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[Dale]

When was the last time you updated F-Prot or KAV? Kaspersky Labs has
been releasing 2-4 updates a day for the last couple of weeks. Frisk
released two updates for F-Prot today.

When each was active, I updated hourly. I checked for updates just
before scanning the file.

Dale