Home page logo

basics logo Security Basics mailing list archives

RE: New Virus?
From: "Hamish Stanaway" <koremeltdown () hotmail com>
Date: Thu, 30 Jun 2005 09:15:51 +0000

Hi there everyone,

Thanks so much for everyone who offered their help and advice. I managed to remove the virus manually and it was correctly predicted by many of you as W32/Bagle.dldr. I was unsure of what it was as my Norton package did not detect it (hmm) - hopefully Symantec will put this in their next lot of virus signature files.
Thanks again everyone!
Thread end.

Kindest of regards,

Hamish Stanaway, CEO

Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
Auckland, New Zealand


From: "J.Ayoola" <J.Ayoola () westminster ac uk>
To: "'Hamish Stanaway'" <koremeltdown () hotmail com>
CC: <security-basics () securityfocus com>
Subject: RE: New Virus?
Date: Wed, 29 Jun 2005 10:14:37 +0100
MIME-Version: 1.0
Received: from outgoing.securityfocus.com ([]) by mc10-f2.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 29 Jun 2005 16:03:27 -0700 Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for mail.hotmail.com []) with ESMTP; Wed, 29 Jun 2005 16:03:27 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [])by outgoing3.securityfocus.com (Postfix) with QMQPid 6781A237548; Wed, 29 Jun 2005 13:22:17 -0600 (MDT)
Received: (qmail 5037 invoked from network); 29 Jun 2005 09:54:43 -0000
X-Message-Info: JGTYoYF78jEHjJx36Oi8+Z3TmmkSEdPtfpLB7P/ybN8=
Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <security-basics.list-id.securityfocus.com>
List-Post: <mailto:security-basics () securityfocus com>
List-Help: <mailto:security-basics-help () securityfocus com>
List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
Delivered-To: mailing list security-basics () securityfocus com
Delivered-To: moderator for security-basics () securityfocus com
Organization: University of Westminster
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
thread-index: AcV8OOMYc25f2e2qQwiaoEMI4peaOAAUX/Tg
X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *1DnYea-00065a-00*mSvnYnPQ5ig* Return-Path: security-basics-return-34487-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 29 Jun 2005 23:03:27.0478 (UTC) FILETIME=[C263B960:01C57CFE]

This appears to be the trojan W32/Bagle.dldr.  McAfee has been detecting it
since the 26th of June. Click on the link for more info.



-----Original Message-----
From: Hamish Stanaway [mailto:koremeltdown () hotmail com]
Sent: 27 June 2005 23:42
To: security-basics () securityfocus com
Subject: New Virus?

Hey there everyone,

I recieved a mysterious email this morning at 1728 GMT which had headers as

Return-path: <hamish1 () voyager co nz>
Envelope-to: hamish1 () webhosting net nz
Delivery-date: Tue, 28 Jun 2005 05:22:44 +1200
Received: from [] (helo=david.org)
        by fearless.absolutewebhosting.biz with smtp (Exim 4.24)
        id 1DmxJg-0003ou-Rg
        for hamish1 () webhosting net nz; Tue, 28 Jun 2005 05:22:41 +1200
Date: Mon, 27 Jun 2005 19:20:42 +0100
To: "Hamish" <hamish1 () webhosting net nz>
From: "Hamish" <hamish1 () voyager co nz>
Subject: The picture is sent on SMS
Message-ID: <pvkpnopcnwraqblcgfg () webhosting net nz>
MIME-Version: 1.0
Content-Type: multipart/mixed;

-------------------- END SNIP-----------------------

As you can guess, I'm hamish1 () webhosting net nz This email contained no text, only an attachment called legs.zip, which
Norton (fully updated to its' latest version and data files) did not detect
any viruses in.
Within the legs.zip file there is a file called ds-rwe.exe - this again was
not detected as a virus.
My girlfriend thought she would be smart and ran ds-rwe.exe, which gave me a

memory overflow message for explorer.exe immidiately.
Does anyone have any idea of what this might be, and also if it is a virus
that has already been identified? If not, I am willing to pass it through to

someone to take a look at in its' zip format.
Otherwise if the effects cannot be reversed, I am afraid I will have to
reformat this machine *sigh* NOT AGAIN :(
Have a great day everyone and thanks in advance for your help.

Kindest of regards,

Hamish Stanaway, CEO

Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
Auckland, New Zealand


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]