kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH
1 recommendation |
kpatz
Premium Member
2005-Sep-12 1:42 pm
New Bagle?I just found a Bagle/Mitglieder looking email w/attachment (price_09.zip, containing price.cpl) in my wife's email. I scanned it with Jotti's online scanner, and also with NAV and eTrust. NAV has the latest rapidrelease definitions, and eTrust has the latest definitions. Neither detected any infection in the attachment.
I submitted the sample to the AV vendors, and NAI/McAfee returned "inconclusive" as well, so they didn't detect it either. Jotti returned the following:
File: price.cpl Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 a2920da32385932c71ad2e4ed5e3e74e Packers detected: - Scanner results AntiVir Found DR/Bagle.P ArcaVir Found Worm.Beagle.AV Avast Found Win32:Mitglieder-BK AVG Antivirus Found I-Worm/Bagle.EQ BitDefender Found Dropped:Win32.Bagle.CM@mm ClamAV Found Worm.Bagle.BB-gen Dr.Web Found Win32.HLLM.Beagle.12288 F-Prot Antivirus Found W32/Mitglieder.FB Fortinet Found W32/Bagle.CS-mm Kaspersky Anti-Virus Found Email-Worm.Win32.Bagle.cs NOD32 Found nothing Norman Virus Control Found W32/Bagle.CS UNA Found I-Worm.Bagle.Runner VBA32 Found nothing
In any case, it seems interesting that so many AVs detect this (new?) variant, except for the ones I use (NAV, eTrust, NOD32). Another thing I noticed is the zip file is 12,503 bytes, and the file within is 14,340 bytes. This is a bit smaller than Bagles/Mitglieders I've seen in the past. Could it perhaps be a corrupted or truncated copy?
I'll be submitting a copy to the Malware Archive shortly. |
|
pcdebbbirdbrain Premium Member join:2000-12-03 Brandon, FL 1 edit |
pcdebb
Premium Member
2005-Sep-12 2:17 pm
FYI, I received the same email. All the body of the email says is "price" and that's it. I dont know what the zip file contains as I didnt want to touch it. it's sitting in my recycle bin if anyone wants it as well |
|
Schouw Premium Member join:2003-05-29 Netherlands |
to kpatz
The Bagle train is back on tour. Seen quite some repacks today...
There's a good chance there will be more in the next couple of hours. |
|
donoreo Premium Member join:2002-05-30 North York, ON |
to kpatz
Looks like the big guys are picking it up: » us.mcafee.com/virusInfo/ ··· k=129588 |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH
1 recommendation |
to Schouw
I got a response back from Symantec and McAfee. Symantec reports it as Trojan.Tooso.N and is issuing new RapidRelease defs to cover it. McAfee reports it as W32/Bagle@MM!cpl and sent a .DAT file to add detection.
So this *IS* a new variant... eek! |
|
pcdebbbirdbrain Premium Member join:2000-12-03 Brandon, FL ARRIS DG1670
|
to kpatz
kpatz my MD5 is different, but then so is the cpl file....
File: 1.cpl Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 4fb426de872ee9b20c3312fae3adf018
AntiVir Found DR/Bagle.P ArcaVir Found Worm.Beagle.AV Avast Found Win32:Beagle-DP AVG Antivirus Found I-Worm/Bagle.EP BitDefender Found Win32.Bagle.CM@mm ClamAV Found Worm.Bagle.BB-gen Dr.Web Found Win32.HLLM.Beagle.18848 F-Prot Antivirus Found W32/Mitglieder.FB Fortinet Found W32/Bagle.CS-mm Kaspersky Anti-Virus Found Email-Worm.Win32.Bagle.cs NOD32 Found nothing Norman Virus Control Found W32/Bagle.CS UNA Found I-Worm.Bagle.Runner VBA32 Found nothing |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH |
kpatz
Premium Member
2005-Sep-12 2:46 pm
Interesting that your MD5 is different. Of course, all it takes is one padding byte at the end being different to change the MD5.
Is the size of yours different as well? Interesting that the Jotti scanners detected it the same as mine, for the most part. It could be a repack too.
I'd submit it to the AV vendors to be safe. |
|
pcdebbbirdbrain Premium Member join:2000-12-03 Brandon, FL ARRIS DG1670
2 edits |
to kpatz
Ok, I submitted the sample
As far as the size of the 1.cpl file:
Size: 14.0 KB (14,340 bytes) Size on disk: 16.0 KB (16,384 bytes)
The created and accessed time is Today, September 12, 2005, 2:55:56 PM, but i guess they plan to modify it in the future? Modified: Today, September 12, 2005, 10:09:00 PM
I just checked the zip file, it's size is different than yours: 12,490 bytes |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH |
kpatz
Premium Member
2005-Sep-12 3:06 pm
The .cpl file is the same size as mine. A repack could cause the zip size to be different.
If you have access to NAV, grab the latest rapidrelease defs off their website and see if it detects your copy. Mine is detected with the rev. 17 defs. |
|
pcdebbbirdbrain Premium Member join:2000-12-03 Brandon, FL |
to kpatz
i dont have NAV installed on any computer here (or friends) so I can't test that angle...but I am getting responses from some vendors stating it's new and will be added to their next updates |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH |
kpatz
Premium Member
2005-Sep-12 3:37 pm
Did you get a reponse from Symantec yet? If you did, what are they calling it? They named my sample Trojan.Tooso.N. I'm curious if your sample fell under the same name. |
|
psloss Premium Member join:2002-02-24 |
psloss
Premium Member
2005-Sep-12 4:12 pm
said by kpatz:Did you get a reponse from Symantec yet? If you did, what are they calling it? They named my sample Trojan.Tooso.N. I'm curious if your sample fell under the same name. FWIW, we got the same variant you did (MD5 = a2920da32385932c71ad2e4ed5e3e74e), about 20 minutes ago or so... ...and of course around the same time, we got an NDR from a server that received a copy with our domain spoofed in the From: header... Philip Sloss |
|
pcdebbbirdbrain Premium Member join:2000-12-03 Brandon, FL ARRIS DG1670
1 edit |
to kpatz
said by kpatz:Did you get a reponse from Symantec yet? If you did, what are they calling it? They named my sample Trojan.Tooso.N. I'm curious if your sample fell under the same name. filename: 1.cpl machine: AVCAutomation: result: This file is infected with Trojan.Tooso.N so i guess both filenames will be detected under the same thing. I'm sure other filenames might exist for the same thing |
|
Schouw Premium Member join:2003-05-29 Netherlands 1 edit |
to kpatz
Currently there are 3 Bagles being spammed. There's also a new Bagle mass mailer, it sends out the spammed stuff.
All 3 'variants' are the same, they differ only in .cpl dropper. (The .cpl is used as Trojan-Dropper to drop the Bagle executable).
It would seem that these spammed Bagles only work on Windows 98, which is quite interesting.
MD5 checksums for spammed Bagles(so far):
4fb426de872ee9b20c3312fae3adf018 a2920da32385932c71ad2e4ed5e3e74e 951053055f16d331a42475c209803430 |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH |
kpatz
Premium Member
2005-Sep-12 5:26 pm
When I got home, there was a "NOD32 was updated" bubble up on the screen. NOD32 now detects this variant as Win32/Bagle.BI worm. And in perusing the system, it appears that my wife didn't launch the .cpl file. She got close though, when I showed it to her, she said she went as far as opening the .zip attachment, but didn't know what the "price.cpl" was so she closed it. She was one double-click away from infecting me. Though Schouw's observation of it only working in Win'98 is interesting. |
|
Schouw Premium Member join:2003-05-29 Netherlands |
to kpatz
Surprise, another one: 37e84e6c22bfe936b48aea4ade395044 |
|
psloss Premium Member join:2002-02-24 |
to kpatz
said by kpatz:Though Schouw's observation of it only working in Win'98 is interesting. Yeah; Symantec's write-up says this: quote: 2. Attempts to execute this file, which is corrupted and will not run.
I can't verify either way until later, though it passed a "gross" Portable Executable check. Philip Sloss |
|
|
to kpatz
I was just reading your writeup on it in the KAV weblog, Schouw...interesting Analyst's Diary New series of Bagles being spammed » www.viruslist.com/en/weblog |
|
KyeU join:2003-12-31 Canada 1 edit |
to kpatz
Sad that NOD32 is the only one that doesn't detect these... (Along with VBA32) |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH |
kpatz
Premium Member
2005-Sep-12 8:40 pm
said by KyeU:Sad that NOD32 is the only one that doesn't detect these... (Along with VBA32) NOD32 does detect it now. eTrust still isn't though, and I can't seem to get a submission to work on their website at » www.my-etrust.com/Suppor ··· orm.aspxIt keeps saying "An error has occurred while uploading your file. Please go back and resubmit the form." I tried sending the .cpl straight, zipped, and password zipped. Has anyone else had issues with submitting samples to CA? |
|
adamt56 join:2005-06-21 Saint Petersburg, FL |
to kpatz
I too received price_new.zip containing 1.cpl CA Firewall caught it and changed the extension to .zm9 MD5 4fb426de872ee9b20c3312fae3adf018 I have not executed it yet (I hear it only works on Windows 98) but we shall see. |
|
mens rea Premium Member join:2002-01-31 Canada |
to kpatz
This seems to be very wide spread. My ISP's AV on its mail servers stripped an attachment called price.cpl, which was identified as Trojan Tooso.N. |
|
|
Tech-2005 to adamt56
Anon
2005-Sep-13 2:12 am
to adamt56
My email uses an external spam filtering company (Postini) that scans every email with McAfee and it has blocked hundreds of viruses in the past five years. The filtering system with McAfee has only missed about three viruses of which Norton's email protection scans caught on my local computer as they came in. I use Norton 2003 on my computer which scans any attachments and if that isn't enough any that are potentially executable get automatically quarantined by Zone Alarm Pro. If a virus happened to make it through all that and I accidentally opened the file by some weird chance then ZAP version 6 with its three layer firewall would halt execution of the file if it tried to access any critical areas of the Windows XP file system, or access the browser controls, or access the internet in an attempt to spread itself. Also I run three real time anti spyware programs that track any program trying to change my internet settings or change system settings. With that being said, my email filtering company just sent me an alert email saying that it blocked a virus in an email called W32Bagle@MM!cpl which I believe is the virus in question for this thread. So this bad virus was caught by McAfee as the first layer of protection I have and it was not even able to download onto my machine. I am going to go check out the properties of the email right now like the address it was sent from, etc. I am thinking this must be a huge mass mailing of this virus since it seems to be hitting everyone at one time. Everyone else out there should be careful with this one ! |
|
Tech-2005 |
Tech-2005
Anon
2005-Sep-13 2:29 am
UPDATE: I checked out the email I received and its hidden properties. It came from an address which I did a ARIN WHOIS search on and it was from Cox Communications which leads me to believe it came from a customer's zombie computer on the Cox internet computer cable network or it could simply be a spoofed address claiming to be Cox Internet. The attached infected file which caused the email to be quarantined is "price_09.zip" with a the McAfee based virus name as W32/Bagle@MM!cpl. The email sender was spoofed and claimed to be sent from "my email name" @cais.co.za . I will not post the Cox Internet IP address of origin here since it very likely may be or perhaps may not be spoofed. However, I have found that most of the time the IP address of origin is usually not spoofed since it is usually from Asian Pacific Network or from the European Networks in Amsterdam. This leads me to believe that the virus is spreading on computers in the U.S.A. So as it has been said a thousand times don't trust any email attachments at all regardless of who they are from. |
|
|
to kpatz
i received it with a spoofed email that i had a year ago with comcast. |
|
|
Tech-2005
Anon
2005-Sep-13 4:03 am
The fact that the email address is spoofed isn't as important as the originating IP address. It is very likely a coincidence that comcast was the spoofed ISP that the virus chose. The name in front of that ISP is your real internet name except of course with Comcast as the ISP instead of Verizon.
If you look at the email hidden properties you will often find several IP addresses there. You should have the IP address of your email provider, and often you will also see an IP address which is usually spoofed of the spoofed email address but also you may see the IP address that the email was initiated from. Sometimes but not always this first IP address is spoofed but then again often it is not. With most spam and viruses I have seen this is not spoofed and the originating IP is from overseas sources. With new and fast moving viruses I have seen this address as being from U.S. based internet service providers which leads me to believe that it is coming from recently infected machines in the U.S. Most likely it came from a machine from someone you know but the email address and its associated IP are spoofed by the virus. This circumstance is a good case for outbound email virus detection but if your antivirus software did not catch it from coming in then it probably won't catch it on the way back out either. Regarding the source of origin IP address, you usually can only see this if you look at the hidden source code of the email. You can see this information using Outlook Express if you click on the email properties, details, then message source tabs. In your post I see the image with a specific IP address of origin and according to that your originating IP shows that it is from Verizon.net but that may be spoofed and really not the correct originating IP address. Instead really need to look at the hidden source code to look for the possible true originating address. Many spam filters such as my online spam filtering allows you to also see the entire email hidden source code where you can run a WHOIS on the IP addresses of origin and find the most likely IP source or in some cases the virus is able to spoof even that information. One other possibility is that a spam computer got infected and is simply sending out virus laden emails to entire spam lists. |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH |
kpatz
Premium Member
2005-Sep-13 7:32 am
AFAIK these newer Bagles aren't mass mailers; instead they are downloader trojans that are spammed en masse. Once one gets on your PC, it contacts a server to download more stuff, including spamming tools. These spamming tools are used to harvest email addresses and mass spam new variants to expand the "bot" army. My wife's email seems to be on one of the "new Bagle" spam lists, as she's received 3 or 4 new variants this year. This last one was so new that many AVs didn't detect it yet. The variants have all come from different IP addresses, so chances are it's a botnet that is being used for the distribution. Good thing I'm a BBR member who knows how to submit samples. |
|
kpatz |
kpatz
Premium Member
2005-Sep-13 8:20 am
Here's a writeup for the actual Bagle that mass-mails the Tooso.N trojan: » www.symantec.com/avcente ··· @mm.html |
|
captokita Premium Member join:2005-02-22 Calabash, NC |
to kpatz
-And in perusing the system, it appears that my wife didn't launch the .cpl file. She got close though, when I showed it to her, she said she went as far as opening the .zip attachment, but didn't know what the "price.cpl" was so she closed it. She was one double-click away from infecting me. - Eeep! Time to give the wife a refresher on attachments I think. DON'T OPEN THEM!!! Repeat! DON'T OPEN THEM!!!!! Dang, I haven't seen any variants come in. But I certainly wouldn't open them. If you aren't expecting the zip, why would you open it? Thanks for the heads up tho kpatz! Much appreciated! |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH |
kpatz
Premium Member
2005-Sep-13 9:31 am
said by captokita:Eeep! Time to give the wife a refresher on attachments I think. DON'T OPEN THEM!!! Repeat! DON'T OPEN THEM!!!!! I reminded her last night, if you don't know what it is, don't open it! I think what throws her is that so many of her friends forward her junk that's "forwarded as attachment" that she just goes for the attachment without thinking about it. So far we've been lucky, usually one of my security layers takes care of the problem before the blonde can do any damage with it. Unfortunately, I'm minus one layer right now (Linux firewall/mail scanner box) and the AVs weren't detecting this one at the time anyway. |
|