Svar: Re: bagle-i worm

Jan Elmqvist Nielsen jen at AH.DK
Tue Mar 2 21:30:04 GMT 2004


Hi

I have seen 1.
Kaspersky:
/var/spool/MailScanner/incoming/23295/i22K6AC28320/AttachedDocument.zip/ycfgeutj.scr
infected: I-Worm.Bagle.h

in the mail is writing this:
You have won!!!
password  -- 01251

I am also running f-prot, it dosn't catch it.
I don't know how kaspersky detect it in the password protected zip fil.
But it does :-)
Last kaspersky update from 19.01

/Jan Elmqvist Nielsen

>>> marco at MUW.EDU 02-03-04 18:12 >>>
I can confirm  that Bagle-I worm did make it through our MS gateways. I
am
running both Sophos and Command AV (up-to-date) and both let it slip
through.
We are running MS 4.26.8-1 and will upgrade to the latest one soon, if
it
helps. Meanwhile, I have blocked zip files temporarily.


Quoting Derek Winkler <dwinkler at ALGORITHMICS.COM>:

> For Bagle-H Sophos included this note:
>
> "W32/Bagle-H sends itself as a password protected ZIP file that is not
> detected by this identity. However, when unzipped by the user the worm
will
> be detected by Sophos Anti-Virus at the user's desktop."
>
> May be true of Bagle-I since it also uses password protected ZIP files
as
> well, although they didn't specifically say.
>



More information about the MailScanner mailing list