FW: ** [QAW-VAWU-AW34] Virus sample submitted from the Sophos website

["Hayden Searle" <hayden.searle () safecom co nz>]

-----Original Message-----
From: samples () sophos com au [mailto:samples () sophos com au] 
Sent: Wednesday, 29 June 2005 12:38 p.m.
To: Hayden Searle
Subject: Re: ** [QAW-VAWU-AW34] Virus sample submitted from the Sophos
website

Please quote [QAW-VAWU-AW34] in the subject line of any further
correspondence related to this query.

Hi

Thank you for contacting Sophos Technical Support.

The sample e-mail you have sent in for analysis does contain the virus
Troj/BagleDl-R.

Troj/BagleDl-R is a downloader Trojan which will download, install and
run new software without notification that it is doing so.
Troj/BagleDl-R includes functionality to:
- inject its code into EXPLORER.EXE
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security
related applications Troj/BagleDl-R then attempts to download files from
remote websites and run them.
Troj/BagleDl-R may also run MSPAINT.EXE in an attempt to obfuscate
itself.

To remove the Virus/Trojan please visit the Sophos website and download
the latest IDE files from the below URL:

http://www.sophos.com/virusinfo/analyses/trojbagledlr.html


For manual removal refer to below link under recovery:

http://www.sophos.com/virusinfo/analyses/trojbagledlr.html

Regards,


> The following virus sample was submitted on:
> Tue Jun 28 22:03:28 2005
________________________________________________________________________
________

> Name: Hayden Searle
> Telephone: 6493633166
> Email: hayden.searle () safecom co nz
> Country: New Zealand
> Company: Telecom New Zealand
> Operating system(s): Windows XP Professional OS language(s): English 
> Why do you want to send a sample?:
> File was sent with suspicious headers and an exe file was contained in

> a
zip
> file. this file was run on an XP workstation and produced a memory
overflow
> message for explorer.exe immediately.
________________________________________________________________________
________

> Document ID: F2FBAA3392292A878025702E0079680C The following 
> attachments have been removed:
>
> original.zip 21494 Bytes
>
>
> Attachments automatically sent for checking at 23:08:40 on 28/06/2005



--
George Argyropoulos
Technical Support Engineer, Sophos

Tel: 02 9409 9111
Web: www.sophos.com.au
Protecting businesses against viruses and spam worldwide

#####################################################################################
Important: This electronic message and attachments (if any) are confidential
and may be legally privileged. If you are not the intended recipient do not
copy, disclose or use the contents in any way. Please let us know by return
e-mail immediately and then destroy this message.
#####################################################################################