Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: New Virus under way ...
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 19 Mar 2004 13:05:13 +1300

"Richard" <guruban () mweb co za> wrote:

Looks to be the latest in the Bagle / Beagle family. Symantec have got it
as the W32.Beagle.O () mm, discovered March 18 10:00

Yes -- there is huge naming confusion with the Bagles.

This is partly because of similarities between some Bagle variants and 
some of the Mitglieder proxy Trojans and some vendors choosing Bagle 
variant slots for what are "really" Mitglieders.  It's also partly due 
to some vendors not reporting as the  same variant what are really the 
same variants packed with different runtime decompressors.

However, the rash of new Bagle variants "last night" (for me) allowed 
us to synchronize variant names at Bagle.R (unfortunately Symantec and 
perhaps a few others had already named what most now have as Bagle.Q, 
so there may be a small amount of confusion over that variant).  Also 
note that the forms of the Email messsages sent by Bagle.Q, .R, .S & .T 
are identical, as these messages do not carry a copy of the virus.  
Which variant the victim actually gets depends on what the machine at 
the IP in the victim's message is serving up when the victim's browser 
goes asking.


Nick FitzGerald

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]