From: "J.Ayoola" <J.Ayoola () westminster ac uk>
To: "'Hamish Stanaway'" <koremeltdown () hotmail com>
CC: <security-basics () securityfocus com>
Subject: RE: New Virus?
Date: Wed, 29 Jun 2005 10:14:37 +0100
Received: from outgoing.securityfocus.com ([188.8.131.52]) by
mc10-f2.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 29 Jun 2005
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mail.hotmail.com [184.108.40.206]) with ESMTP; Wed, 29
Jun 2005 16:03:27 -0700
Received: from lists.securityfocus.com (lists.securityfocus.com
[220.127.116.11])by outgoing3.securityfocus.com (Postfix) with QMQPid
6781A237548; Wed, 29 Jun 2005 13:22:17 -0600 (MDT)
Received: (qmail 5037 invoked from network); 29 Jun 2005 09:54:43 -0000
Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
List-Post: <mailto:security-basics () securityfocus com>
List-Help: <mailto:security-basics-help () securityfocus com>
List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
Delivered-To: mailing list security-basics () securityfocus com
Delivered-To: moderator for security-basics () securityfocus com
Organization: University of Westminster
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/)
security-basics-return-34487-koremeltdown=hotmail.com () securityfocus com
X-OriginalArrivalTime: 29 Jun 2005 23:03:27.0478 (UTC)
This appears to be the trojan W32/Bagle.dldr. McAfee has been detecting it
since the 26th of June. Click on the link for more info.
From: Hamish Stanaway [mailto:koremeltdown () hotmail com]
Sent: 27 June 2005 23:42
To: security-basics () securityfocus com
Subject: New Virus?
Hey there everyone,
I recieved a mysterious email this morning at 1728 GMT which had headers as
Return-path: <hamish1 () voyager co nz>
Envelope-to: hamish1 () webhosting net nz
Delivery-date: Tue, 28 Jun 2005 05:22:44 +1200
Received: from [18.104.22.168] (helo=david.org)
by fearless.absolutewebhosting.biz with smtp (Exim 4.24)
for hamish1 () webhosting net nz; Tue, 28 Jun 2005 05:22:41 +1200
Date: Mon, 27 Jun 2005 19:20:42 +0100
To: "Hamish" <hamish1 () webhosting net nz>
From: "Hamish" <hamish1 () voyager co nz>
Subject: The picture is sent on SMS
Message-ID: <pvkpnopcnwraqblcgfg () webhosting net nz>
-------------------- END SNIP-----------------------
As you can guess, I'm hamish1 () webhosting net nz
This email contained no text, only an attachment called legs.zip, which
Norton (fully updated to its' latest version and data files) did not detect
any viruses in.
Within the legs.zip file there is a file called ds-rwe.exe - this again was
not detected as a virus.
My girlfriend thought she would be smart and ran ds-rwe.exe, which gave me
memory overflow message for explorer.exe immidiately.
Does anyone have any idea of what this might be, and also if it is a virus
that has already been identified? If not, I am willing to pass it through
someone to take a look at in its' zip format.
Otherwise if the effects cannot be reversed, I am afraid I will have to
reformat this machine *sigh* NOT AGAIN :(
Have a great day everyone and thanks in advance for your help.
Kindest of regards,
Hamish Stanaway, CEO
Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
Auckland, New Zealand