New virus??

Pete Russell pete at ENITECH.COM.AU
Tue Mar 1 13:16:18 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Bitdefender on FreeBSD didnt detect any of them, BD on rhel4 detected
loads :(

ANyone using Bitdefender on Freebsdd wanna give me any off list tips?

Runald, Patrik wrote:
> It's been a busy morning. All in all we've found five new variants of
> Bagle two of which could be
> considered trojans and not e-mail worms as they don't actively spread
> via e-mail. Some AV vendors
> might detect some of them using the same name for two or more variants.
>
> Regards,
> Patrik
>
> ---
> Patrik Runald,
> Technical Manager
> F-Secure UK
>
>
>     ------------------------------------------------------------------------
>     *From:* MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]
>     *On Behalf Of *Steen, Glenn
>     *Sent:* Tuesday, March 01, 2005 12:34 PM
>     *To:* MAILSCANNER at JISCMAIL.AC.UK
>     *Subject:* Re: New virus??
>
>     Did more or less the same and got an extra.dat from McAfee that
>     identifies at
>     least two (different) types as "W32/Bagle.dldr (ED) virus", while
>     still missing the
>     third variant we've gotten (so far). Of course submitted that one too.
>
>     Boy am I glad for BitDefender today... Got the first ones
>     "heuristically" as
>     "BehavesLike:Win32.SiteHijack" and (after a virus update either
>     Win32.Bagle.BF at mm <mailto:Win32.Bagle.BF at mm> or "Trojan.Bagle.BE"...
>     And these would have gotten
>     through (well, most at least, since Clam would have gotten the
>     "Trojan.Bagle.BE"
>     as "Trojan.Small-57-3") if I'd just relied on McAfee and Clamav.
>
>     -- Glenn
>
>         -----Original Message-----
>         *From:* MailScanner mailing list
>         [mailto:MAILSCANNER at JISCMAIL.AC.UK] *On Behalf Of *Randal, Phil
>         *Sent:* den 1 mars 2005 12:21
>         *To:* MAILSCANNER at JISCMAIL.AC.UK
>         *Subject:* Re: New virus??
>
>         We've received a couple of dozen since around 01:30 GMT.
>
>         I've submitted a sample to virustotal.com, jotti.org, clamav.net
>         and McAfee's webimmune.net.
>
>         virustotal.com  identifies it as W32.Bagle.bg (Kapersky),
>         W32/Bagle.bl (F-Prot).
>
>         virusscan.jotti.org calls it various things -
>         Trojan.Dropper.Win32.FreshBind.11.b (and variants thereof).
>
>         webimmune.net detected it heuristically as a Bagle variant, but
>         McAfee's latest daily test DATs didn't pick it up.
>
>         Well done Bitdefender.
>
>         Cheers,
>
>         Phil
>
>         ----
>         Phil Randal
>         Network Engineer
>         Herefordshire Council
>         Hereford, UK
>
>
>
>             ------------------------------------------------------------------------
>             *From:* MailScanner mailing list
>             [mailto:MAILSCANNER at JISCMAIL.AC.UK] *On Behalf Of *Roger Jochem
>             *Sent:* 01 March 2005 09:05
>             *To:* MAILSCANNER at JISCMAIL.AC.UK
>             *Subject:* Re: New virus??
>
>             I'm receiving lots of this warnings too, only from
>             bitdefender...
>
>                 ----- Original Message -----
>                 *From:* David While <mailto:David.While at UCE.AC.UK>
>                 *To:* MAILSCANNER at JISCMAIL.AC.UK
>                 <mailto:MAILSCANNER at JISCMAIL.AC.UK>
>                 *Sent:* Tuesday, March 01, 2005 6:30 AM
>                 *Subject:* New virus??
>
>                 I have just started to receive the following warnings.
>                 It appears that only Bitdefender currently spots this
>                 virus (I run Bitdefender, ClamAV, F-Prot and Antivir).
>
>                 Anyone else seeing it??
>
>
>                 The following e-mails were found to have: Bad Filename
>                 Detected : Virus Detected
>
>                 Sender: xxxx at xxxxxxxxxxIP <mailto:xxxx at xxxxxxxxxxIP>
>                 Address: 65.116.165.251
>
>                 Recipient: belfast at boys-brigade.org.uk
>                 <mailto:belfast at boys-brigade.org.uk>
>
>                 Subject:
>
>                 MessageID: j215N9QK011410
>
>                 Report: Bitdefender: Found virus
>                 BehavesLike:Win32.SiteHijack in file price_new.zip
>
>                 Bitdefender: Found virus BehavesLike:Win32.SiteHijack in
>                 file prs_03.exe
>
>                 MailScanner: Executable DOS/Windows programs are
>                 dangerous in email (prs_03.exe)
>
>                 No programs allowed (prs_03.exe)
>
>                 Report: Bitdefender: Found virus
>                 BehavesLike:Win32.SiteHijack in file prs_03.exe
>
>                 MailScanner: Executable DOS/Windows programs are
>                 dangerous in email (prs_03.exe)
>
>                 No programs allowed (prs_03.exe)
>
>
>
>                 --
>
>                 MailScanner
>
>                 Email Virus Scanner
>
>                 _www.mailscanner.info_
>
>             ------------------------ MailScanner list
>             ------------------------
>             To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>             'leave mailscanner' in the body of the email.
>             Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
>             and the archives
>             (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>             *Support MailScanner development - buy the book off the
>             website!*
>
>         ------------------------ MailScanner list ------------------------
>         To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>         'leave mailscanner' in the body of the email.
>         Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
>         and the archives
>         (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>         *Support MailScanner development - buy the book off the website!*
>
>     ------------------------ MailScanner list ------------------------
>     To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>     'leave mailscanner' in the body of the email.
>     Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
>     and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>     *Support MailScanner development - buy the book off the website!*
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
> and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> *Support MailScanner development - buy the book off the website!*

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list