New virus??

Runald, Patrik patrik.runald at F-SECURE.COM
Tue Mar 1 12:53:34 GMT 2005 

It's been a busy morning. All in all we've found five new variants of
Bagle two of which could be
considered trojans and not e-mail worms as they don't actively spread via
e-mail. Some AV vendors
might detect some of them using the same name for two or more variants.
 
Regards,
Patrik
 
---
Patrik Runald,
Technical Manager
F-Secure UK
 

________________________________________________________________________________
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]
On Behalf Of Steen, Glenn
Sent: Tuesday, March 01, 2005 12:34 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: New virus??

Did more or less the same and got an extra.dat from McAfee that
identifies at
least two (different) types as "W32/Bagle.dldr (ED) virus", while
still missing the
third variant we've gotten (so far). Of course submitted that one
too.
 
Boy am I glad for BitDefender today... Got the first ones
"heuristically" as
"BehavesLike:Win32.SiteHijack" and (after a virus update either
Win32.Bagle.BF at mm or "Trojan.Bagle.BE"... And these would have
gotten
through (well, most at least, since Clam would have gotten the
"Trojan.Bagle.BE"
as "Trojan.Small-57-3") if I'd just relied on McAfee and Clamav.
 
-- Glenn
-----Original Message-----
From: MailScanner mailing list
[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Randal, Phil
Sent: den 1 mars 2005 12:21
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: New virus??

We've received a couple of dozen since around 01:30 GMT.
 
I've submitted a sample to virustotal.com, jotti.org,
clamav.net and McAfee's webimmune.net.
 
virustotal.com  identifies it as W32.Bagle.bg (Kapersky),
W32/Bagle.bl (F-Prot).
 
virusscan.jotti.org calls it various things -
Trojan.Dropper.Win32.FreshBind.11.b (and variants thereof).
 
webimmune.net detected it heuristically as a Bagle variant,
but McAfee's latest daily test DATs didn't pick it up.
 
Well done Bitdefender.
 
Cheers,
 
Phil

----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

 

________________________________________________________________________________
From: MailScanner mailing list
[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Roger
Jochem
Sent: 01 March 2005 09:05
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: New virus??

I'm receiving lots of this warnings too, only from
bitdefender...
      ----- Original Message -----
From: David While
To: MAILSCANNER at JISCMAIL.AC.UK
Sent: Tuesday, March 01, 2005 6:30 AM
Subject: New virus??

I have just started to receive the following
warnings. It appears that only Bitdefender
currently spots this virus (I run Bitdefender,
ClamAV, F-Prot and Antivir).
 
Anyone else seeing it??
 

The following e-mails were found to have: Bad
Filename Detected : Virus Detected

Sender: xxxx at xxxxxxxxxxIP Address: 65.116.165.251

Recipient: belfast at boys-brigade.org.uk

Subject:

MessageID: j215N9QK011410

Report: Bitdefender: Found virus
BehavesLike:Win32.SiteHijack in file
price_new.zip

Bitdefender: Found virus
BehavesLike:Win32.SiteHijack in file prs_03.exe

MailScanner: Executable DOS/Windows programs are
dangerous in email (prs_03.exe)

No programs allowed (prs_03.exe)

Report: Bitdefender: Found virus
BehavesLike:Win32.SiteHijack in file prs_03.exe

MailScanner: Executable DOS/Windows programs are
dangerous in email (prs_03.exe)

No programs allowed (prs_03.exe)

 

--

MailScanner

Email Virus Scanner

www.mailscanner.info

------------------------ MailScanner list
------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the
words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ
(http://www.mailscanner.biz/maq/)
and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the
website!

------------------------ MailScanner list
------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ
(http://www.mailscanner.biz/maq/)
and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the
website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list