Home page logo
/

basics logo Security Basics mailing list archives

FW: ** [QAW-VAWU-AW34] Virus sample submitted from the Sophos website
From: "Hayden Searle" <hayden.searle () safecom co nz>
Date: Wed, 29 Jun 2005 12:44:05 +1200

 

-----Original Message-----
From: samples () sophos com au [mailto:samples () sophos com au] 
Sent: Wednesday, 29 June 2005 12:38 p.m.
To: Hayden Searle
Subject: Re: ** [QAW-VAWU-AW34] Virus sample submitted from the Sophos
website

Please quote [QAW-VAWU-AW34] in the subject line of any further
correspondence related to this query.

Hi

Thank you for contacting Sophos Technical Support.

The sample e-mail you have sent in for analysis does contain the virus
Troj/BagleDl-R.

Troj/BagleDl-R is a downloader Trojan which will download, install and
run new software without notification that it is doing so.
Troj/BagleDl-R includes functionality to:
- inject its code into EXPLORER.EXE
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security
related applications Troj/BagleDl-R then attempts to download files from
remote websites and run them.
Troj/BagleDl-R may also run MSPAINT.EXE in an attempt to obfuscate
itself.

To remove the Virus/Trojan please visit the Sophos website and download
the latest IDE files from the below URL:

http://www.sophos.com/virusinfo/analyses/trojbagledlr.html


For manual removal refer to below link under recovery:

http://www.sophos.com/virusinfo/analyses/trojbagledlr.html

Regards,


The following virus sample was submitted on:
Tue Jun 28 22:03:28 2005

________________________________________________________________________
________


Name: Hayden Searle
Telephone: 6493633166
Email: hayden.searle () safecom co nz
Country: New Zealand
Company: Telecom New Zealand
Operating system(s): Windows XP Professional OS language(s): English 
Why do you want to send a sample?:
File was sent with suspicious headers and an exe file was contained in

a
zip
file. this file was run on an XP workstation and produced a memory
overflow
message for explorer.exe immediately.



________________________________________________________________________
________





Document ID: F2FBAA3392292A878025702E0079680C The following 
attachments have been removed:

original.zip 21494 Bytes


Attachments automatically sent for checking at 23:08:40 on 28/06/2005



--
George Argyropoulos
Technical Support Engineer, Sophos

Tel: 02 9409 9111
Web: www.sophos.com.au
Protecting businesses against viruses and spam worldwide

#####################################################################################
Important: This electronic message and attachments (if any) are confidential
and may be legally privileged. If you are not the intended recipient do not
copy, disclose or use the contents in any way. Please let us know by return
e-mail immediately and then destroy this message.
#####################################################################################


  By Date           By Thread  

Current thread:
  • FW: ** [QAW-VAWU-AW34] Virus sample submitted from the Sophos website Hayden Searle (Jun 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]