mailing list archives
Re: New Virus under way ...
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 19 Mar 2004 13:05:13 +1300
"Richard" <guruban () mweb co za> wrote:
Looks to be the latest in the Bagle / Beagle family. Symantec have got it
as the W32.Beagle.O () mm, discovered March 18 10:00
Yes -- there is huge naming confusion with the Bagles.
This is partly because of similarities between some Bagle variants and
some of the Mitglieder proxy Trojans and some vendors choosing Bagle
variant slots for what are "really" Mitglieders. It's also partly due
to some vendors not reporting as the same variant what are really the
same variants packed with different runtime decompressors.
However, the rash of new Bagle variants "last night" (for me) allowed
us to synchronize variant names at Bagle.R (unfortunately Symantec and
perhaps a few others had already named what most now have as Bagle.Q,
so there may be a small amount of confusion over that variant). Also
note that the forms of the Email messsages sent by Bagle.Q, .R, .S & .T
are identical, as these messages do not carry a copy of the virus.
Which variant the victim actually gets depends on what the machine at
the IP in the victim's message is serving up when the victim's browser
Full-Disclosure - We believe in it.