Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: New Virus probably Bagle.Q
From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade () sprint ca>
Date: Thu, 18 Mar 2004 18:54:26 -0800

From:                   "Helmut Hauser" <helmut_hauser () hotmail com>
Date sent:              Thu, 18 Mar 2004 11:08:44 +0100

link to virus is ...
http://blah.blah.blah:81/100721.php

The php is a dead giveaway: this is probably Bagle.Q et al.  (The message probably 
had object tags around this, correct?)  The infected machine will download a 
script: the script will download a (seemingly innocuous) file, and then rename it 
and invoke it.  Then *you* start sending out email like that  :-)

Host is in Korea, abuse warning has been sent.

Have you also contacted the ISP?  The machine owner is probably unaware of 
what is going on.  (The samples I've got are from Korea as well.)


======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca      slade () victoria tc ca      rslade () sun soci niu edu
Those are my principles. If you don't like them I have others.
                                                      - Groucho Marx
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault