dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2628
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

1 recommendation

kpatz

Premium Member

New Bagle?

I just found a Bagle/Mitglieder looking email w/attachment (price_09.zip, containing price.cpl) in my wife's email. I scanned it with Jotti's online scanner, and also with NAV and eTrust. NAV has the latest rapidrelease definitions, and eTrust has the latest definitions. Neither detected any infection in the attachment.

I submitted the sample to the AV vendors, and NAI/McAfee returned "inconclusive" as well, so they didn't detect it either. Jotti returned the following:

File: price.cpl
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 a2920da32385932c71ad2e4ed5e3e74e
Packers detected: -
Scanner results
AntiVir Found DR/Bagle.P
ArcaVir Found Worm.Beagle.AV
Avast Found Win32:Mitglieder-BK
AVG Antivirus Found I-Worm/Bagle.EQ
BitDefender Found Dropped:Win32.Bagle.CM@mm
ClamAV Found Worm.Bagle.BB-gen
Dr.Web Found Win32.HLLM.Beagle.12288
F-Prot Antivirus Found W32/Mitglieder.FB
Fortinet Found W32/Bagle.CS-mm
Kaspersky Anti-Virus Found Email-Worm.Win32.Bagle.cs
NOD32 Found nothing
Norman Virus Control Found W32/Bagle.CS
UNA Found I-Worm.Bagle.Runner
VBA32 Found nothing

In any case, it seems interesting that so many AVs detect this (new?) variant, except for the ones I use (NAV, eTrust, NOD32). Another thing I noticed is the zip file is 12,503 bytes, and the file within is 14,340 bytes. This is a bit smaller than Bagles/Mitglieders I've seen in the past. Could it perhaps be a corrupted or truncated copy?

I'll be submitting a copy to the Malware Archive shortly.

pcdebb
birdbrain
Premium Member
join:2000-12-03
Brandon, FL

1 edit

pcdebb

Premium Member

FYI, I received the same email. All the body of the email says is "price" and that's it. I dont know what the zip file contains as I didnt want to touch it. it's sitting in my recycle bin if anyone wants it as well
Schouw
Premium Member
join:2003-05-29
Netherlands

Schouw to kpatz

Premium Member

to kpatz
The Bagle train is back on tour.
Seen quite some repacks today...

There's a good chance there will be more in the next couple of hours.

donoreo
Premium Member
join:2002-05-30
North York, ON

donoreo to kpatz

Premium Member

to kpatz
Looks like the big guys are picking it up: »us.mcafee.com/virusInfo/ ··· k=129588
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

1 recommendation

kpatz to Schouw

Premium Member

to Schouw
I got a response back from Symantec and McAfee. Symantec reports it as Trojan.Tooso.N and is issuing new RapidRelease defs to cover it. McAfee reports it as W32/Bagle@MM!cpl and sent a .DAT file to add detection.

So this *IS* a new variant... eek!

pcdebb
birdbrain
Premium Member
join:2000-12-03
Brandon, FL
ARRIS DG1670

pcdebb to kpatz

Premium Member

to kpatz
kpatz my MD5 is different, but then so is the cpl file....

File: 1.cpl
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 4fb426de872ee9b20c3312fae3adf018

AntiVir Found DR/Bagle.P
ArcaVir Found Worm.Beagle.AV
Avast Found Win32:Beagle-DP
AVG Antivirus Found I-Worm/Bagle.EP
BitDefender Found Win32.Bagle.CM@mm
ClamAV Found Worm.Bagle.BB-gen
Dr.Web Found Win32.HLLM.Beagle.18848
F-Prot Antivirus Found W32/Mitglieder.FB
Fortinet Found W32/Bagle.CS-mm
Kaspersky Anti-Virus Found Email-Worm.Win32.Bagle.cs
NOD32 Found nothing
Norman Virus Control Found W32/Bagle.CS
UNA Found I-Worm.Bagle.Runner
VBA32 Found nothing
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

Interesting that your MD5 is different. Of course, all it takes is one padding byte at the end being different to change the MD5.

Is the size of yours different as well? Interesting that the Jotti scanners detected it the same as mine, for the most part. It could be a repack too.

I'd submit it to the AV vendors to be safe.

pcdebb
birdbrain
Premium Member
join:2000-12-03
Brandon, FL
ARRIS DG1670

2 edits

pcdebb to kpatz

Premium Member

to kpatz
Ok, I submitted the sample

As far as the size of the 1.cpl file:

Size: 14.0 KB (14,340 bytes)
Size on disk: 16.0 KB (16,384 bytes)

The created and accessed time is Today, September 12, 2005, 2:55:56 PM, but i guess they plan to modify it in the future? Modified: Today, September 12, 2005, 10:09:00 PM

I just checked the zip file, it's size is different than yours: 12,490 bytes
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

The .cpl file is the same size as mine. A repack could cause the zip size to be different.

If you have access to NAV, grab the latest rapidrelease defs off their website and see if it detects your copy. Mine is detected with the rev. 17 defs.

pcdebb
birdbrain
Premium Member
join:2000-12-03
Brandon, FL

pcdebb to kpatz

Premium Member

to kpatz
i dont have NAV installed on any computer here (or friends) so I can't test that angle...but I am getting responses from some vendors stating it's new and will be added to their next updates
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

Did you get a reponse from Symantec yet? If you did, what are they calling it? They named my sample Trojan.Tooso.N. I'm curious if your sample fell under the same name.
psloss
Premium Member
join:2002-02-24

psloss

Premium Member

said by kpatz:

Did you get a reponse from Symantec yet? If you did, what are they calling it? They named my sample Trojan.Tooso.N. I'm curious if your sample fell under the same name.
FWIW, we got the same variant you did (MD5 = a2920da32385932c71ad2e4ed5e3e74e), about 20 minutes ago or so...

...and of course around the same time, we got an NDR from a server that received a copy with our domain spoofed in the From: header...

Philip Sloss

pcdebb
birdbrain
Premium Member
join:2000-12-03
Brandon, FL
ARRIS DG1670

1 edit

pcdebb to kpatz

Premium Member

to kpatz
said by kpatz:

Did you get a reponse from Symantec yet? If you did, what are they calling it? They named my sample Trojan.Tooso.N. I'm curious if your sample fell under the same name.
filename: 1.cpl
machine: AVCAutomation:
result: This file is infected with Trojan.Tooso.N

so i guess both filenames will be detected under the same thing. I'm sure other filenames might exist for the same thing
Schouw
Premium Member
join:2003-05-29
Netherlands

1 edit

Schouw to kpatz

Premium Member

to kpatz
Currently there are 3 Bagles being spammed.
There's also a new Bagle mass mailer, it sends out the spammed stuff.

All 3 'variants' are the same, they differ only in .cpl dropper. (The .cpl is used as Trojan-Dropper to drop the Bagle executable).

It would seem that these spammed Bagles only work on Windows 98, which is quite interesting.

MD5 checksums for spammed Bagles(so far):

4fb426de872ee9b20c3312fae3adf018
a2920da32385932c71ad2e4ed5e3e74e
951053055f16d331a42475c209803430
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

When I got home, there was a "NOD32 was updated" bubble up on the screen. NOD32 now detects this variant as Win32/Bagle.BI worm.

And in perusing the system, it appears that my wife didn't launch the .cpl file. She got close though, when I showed it to her, she said she went as far as opening the .zip attachment, but didn't know what the "price.cpl" was so she closed it. She was one double-click away from infecting me.

Though Schouw's observation of it only working in Win'98 is interesting.
Schouw
Premium Member
join:2003-05-29
Netherlands

Schouw to kpatz

Premium Member

to kpatz
Surprise, another one: 37e84e6c22bfe936b48aea4ade395044
psloss
Premium Member
join:2002-02-24

psloss to kpatz

Premium Member

to kpatz
said by kpatz:

Though Schouw's observation of it only working in Win'98 is interesting.
Yeah; Symantec's write-up says this:
quote:
2. Attempts to execute this file, which is corrupted and will not run.
I can't verify either way until later, though it passed a "gross" Portable Executable check.

Philip Sloss

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane to kpatz

Premium Member

to kpatz
I was just reading your writeup on it in the KAV weblog, Schouw...interesting

Analyst's Diary
New series of Bagles being spammed
»www.viruslist.com/en/weblog
KyeU
join:2003-12-31
Canada

1 edit

KyeU to kpatz

Member

to kpatz
Sad that NOD32 is the only one that doesn't detect these... (Along with VBA32)
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

said by KyeU:

Sad that NOD32 is the only one that doesn't detect these... (Along with VBA32)
NOD32 does detect it now.

eTrust still isn't though, and I can't seem to get a submission to work on their website at »www.my-etrust.com/Suppor ··· orm.aspx

It keeps saying "An error has occurred while uploading your file. Please go back and resubmit the form." I tried sending the .cpl straight, zipped, and password zipped. Has anyone else had issues with submitting samples to CA?
adamt56
join:2005-06-21
Saint Petersburg, FL

adamt56 to kpatz

Member

to kpatz
I too received price_new.zip containing 1.cpl

CA Firewall caught it and changed the extension to .zm9

MD5 4fb426de872ee9b20c3312fae3adf018

I have not executed it yet (I hear it only works on Windows 98) but we shall see.

mens rea
Premium Member
join:2002-01-31
Canada

mens rea to kpatz

Premium Member

to kpatz
This seems to be very wide spread. My ISP's AV on its mail servers stripped an attachment called price.cpl, which was identified as Trojan Tooso.N.

Tech-2005
@dsl.irvnca.pacbell.n

Tech-2005 to adamt56

Anon

to adamt56
My email uses an external spam filtering company (Postini) that scans every email with McAfee and it has blocked hundreds of viruses in the past five years. The filtering system with McAfee has only missed about three viruses of which Norton's email protection scans caught on my local computer as they came in. I use Norton 2003 on my computer which scans any attachments and if that isn't enough any that are potentially executable get automatically quarantined by Zone Alarm Pro. If a virus happened to make it through all that and I accidentally opened the file by some weird chance then ZAP version 6 with its three layer firewall would halt execution of the file if it tried to access any critical areas of the Windows XP file system, or access the browser controls, or access the internet in an attempt to spread itself. Also I run three real time anti spyware programs that track any program trying to change my internet settings or change system settings. With that being said, my email filtering company just sent me an alert email saying that it blocked a virus in an email called W32Bagle@MM!cpl which I believe is the virus in question for this thread. So this bad virus was caught by McAfee as the first layer of protection I have and it was not even able to download onto my machine. I am going to go check out the properties of the email right now like the address it was sent from, etc. I am thinking this must be a huge mass mailing of this virus since it seems to be hitting everyone at one time. Everyone else out there should be careful with this one !
Tech-2005

Tech-2005

Anon

UPDATE: I checked out the email I received and its hidden properties. It came from an address which I did a ARIN WHOIS search on and it was from Cox Communications which leads me to believe it came from a customer's zombie computer on the Cox internet computer cable network or it could simply be a spoofed address claiming to be Cox Internet. The attached infected file which caused the email to be quarantined is "price_09.zip" with a the McAfee based virus name as W32/Bagle@MM!cpl. The email sender was spoofed and claimed to be sent from "my email name" @cais.co.za . I will not post the Cox Internet IP address of origin here since it very likely may be or perhaps may not be spoofed. However, I have found that most of the time the IP address of origin is usually not spoofed since it is usually from Asian Pacific Network or from the European Networks in Amsterdam. This leads me to believe that the virus is spreading on computers in the U.S.A. So as it has been said a thousand times don't trust any email attachments at all regardless of who they are from.

mr_slick
join:2003-05-22
Lynnwood, WA

mr_slick to kpatz

Member

to kpatz
Click for full size
i received it with a spoofed email that i had a year ago with comcast.

Tech-2005
@dsl.irvnca.pacbell.n

Tech-2005

Anon

The fact that the email address is spoofed isn't as important as the originating IP address. It is very likely a coincidence that comcast was the spoofed ISP that the virus chose. The name in front of that ISP is your real internet name except of course with Comcast as the ISP instead of Verizon.

If you look at the email hidden properties you will often find several IP addresses there. You should have the IP address of your email provider, and often you will also see an IP address which is usually spoofed of the spoofed email address but also you may see the IP address that the email was initiated from. Sometimes but not always this first IP address is spoofed but then again often it is not. With most spam and viruses I have seen this is not spoofed and the originating IP is from overseas sources. With new and fast moving viruses I have seen this address as being from U.S. based internet service providers which leads me to believe that it is coming from recently infected machines in the U.S. Most likely it came from a machine from someone you know but the email address and its associated IP are spoofed by the virus. This circumstance is a good case for outbound email virus detection but if your antivirus software did not catch it from coming in then it probably won't catch it on the way back out either. Regarding the source of origin IP address, you usually can only see this if you look at the hidden source code of the email. You can see this information using Outlook Express if you click on the email properties, details, then message source tabs. In your post I see the image with a specific IP address of origin and according to that your originating IP shows that it is from Verizon.net but that may be spoofed and really not the correct originating IP address. Instead really need to look at the hidden source code to look for the possible true originating address. Many spam filters such as my online spam filtering allows you to also see the entire email hidden source code where you can run a WHOIS on the IP addresses of origin and find the most likely IP source or in some cases the virus is able to spoof even that information. One other possibility is that a spam computer got infected and is simply sending out virus laden emails to entire spam lists.
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

AFAIK these newer Bagles aren't mass mailers; instead they are downloader trojans that are spammed en masse. Once one gets on your PC, it contacts a server to download more stuff, including spamming tools.

These spamming tools are used to harvest email addresses and mass spam new variants to expand the "bot" army.

My wife's email seems to be on one of the "new Bagle" spam lists, as she's received 3 or 4 new variants this year. This last one was so new that many AVs didn't detect it yet. The variants have all come from different IP addresses, so chances are it's a botnet that is being used for the distribution.

Good thing I'm a BBR member who knows how to submit samples.
kpatz

kpatz

Premium Member

Here's a writeup for the actual Bagle that mass-mails the Tooso.N trojan:

»www.symantec.com/avcente ··· @mm.html

captokita
Premium Member
join:2005-02-22
Calabash, NC

captokita to kpatz

Premium Member

to kpatz
-And in perusing the system, it appears that my wife didn't launch the .cpl file. She got close though, when I showed it to her, she said she went as far as opening the .zip attachment, but didn't know what the "price.cpl" was so she closed it. She was one double-click away from infecting me. -

Eeep! Time to give the wife a refresher on attachments I think. DON'T OPEN THEM!!! Repeat! DON'T OPEN THEM!!!!!

Dang, I haven't seen any variants come in. But I certainly wouldn't open them. If you aren't expecting the zip, why would you open it?

Thanks for the heads up tho kpatz! Much appreciated!
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

said by captokita:

Eeep! Time to give the wife a refresher on attachments I think. DON'T OPEN THEM!!! Repeat! DON'T OPEN THEM!!!!!
I reminded her last night, if you don't know what it is, don't open it!

I think what throws her is that so many of her friends forward her junk that's "forwarded as attachment" that she just goes for the attachment without thinking about it. So far we've been lucky, usually one of my security layers takes care of the problem before the blonde can do any damage with it. Unfortunately, I'm minus one layer right now (Linux firewall/mail scanner box) and the AVs weren't detecting this one at the time anyway.