MoMusings

Thursday 27th January, 2005

Another Day, Another Beagle Mess…

Filed under: All, Malware

Yet again, I come down at the start of the day only to find that annoying malware-mutt, Beagle [aka Bagle] has created a new mess for us to clean up.

I think it’s high time that the owner of this mutt had their nose rubbed into the mess, so they learn not to do it again!

This new variant is known by Symantec and Trend as Bagle.AZ. And, as usual most other vendors can’t agree on a single name or variant version, see below:

    Aliases:

  • Bagle.AX
  • Bagle.AY
  • Bagle.BK
  • Email-Worm.Win32.Bagle.ay
  • I-Worm.Bagle.AY
  • probably
  • W32.Beagle.AY@mm
  • W32.Beagle.AZ@mm
  • W32/Bagle-Gen
  • W32/Bagle.BK.worm
  • W32/Bagle.bk@MM
  • Win32.Bagle.AU
  • Win32/Bagle.BE@mm
  • Worm/Bagle.AX
  • WORM_BAGLE.AZ

What is more worrying is that we’ve seen an increase in new MyDoom as well as new Bagle variants over the last few days, I do hope we are not going to see a repeat of the ‘Malware Wars’ of last year!

So, what do we currently know about it?

The e-mail it produces to spread itself is made up of the following characteristics:

Subject: (any of the following)
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help

Message body: (any of the following)
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help

Attachments: (any of the following file names)
guupd02.exe
Jol03.exe
siupd02.exe
upd02.exe
viupd02.exe
wsd01.exe
zupd02.exe

(with any of the following extensions)
COM
CPL
EXE
SCR

Like it’s many predecessors it forges the from and reply-to e-mail headers, so don’t bother contacting the claimed sender as they are probably not infected.
Furthermore, it spreads not only via e-mail but also via network shares.

The good news is that this variant is detected by my generic Snort signature for Bagle and that most vendors should have updates available to detect this new threat by the time you read this.

Links to descriptions:

Please note that this blog has now moved to my own hosted domain here: http://momusings.com/momusings/.
A full RSS/ATOM feed can be found there.

All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.

Get free blog up and running in minutes with Blogsome | Theme designs available here