Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Redhat Kernel Packages (one AMD64 CVE security item), Bagel AV Vendor Summary

Published: 2004-01-19
Last Updated: 2004-01-19 19:04:49 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
"Updated kernel packages available for Red Hat Enterprise Linux 3"

Advisory: RHSA-2004:017-06
"On AMD64 systems, a fix was made to the eflags checking in 32-bit ptrace emulation that could have allowed local users to elevate their privileges. The Common Vulnerabilities and Exposures project ( has assigned the name CAN-2004-0001 to this issue."

Affected Products:
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)

CVEs ( CAN-2004-0001

Bagel AV Vendor Summary

Reports to the ISC indicate that AV gateways intercepting this worm and configured to "Autoreply" to the spoofed "From:" source are once again causing needless congestion (see SOBIG issues). Offenders should consider changing this configuration.

Three write-ups specify the worm's email will have an attachment "Length: 15,872 bytes" and one write-up says it is "an .exe file extension and consists of 3 - 11 randomly-generated lowercase characters."

After infection and initiation of it's email routine AV write-ups state that Bagel "will initialize and open a TCP socket in listening mode on port 6777."

The Trojan Retrieval Routine consists of:

"[HTTP connection]
GET /1.php?p=6777&id=[uid value, same value as used in the registry key]
User-Agent: beagle_beagle"

In AV Vendor write-ups so far the worm has hardcoded URLS which have not had 1.php available.

One Vendor (TrendMicro) cryptically reports "This worm may perform port scanning to connect to a remote system."

Patrick Nolan
0 comment(s)
Diary Archives