New Beagle/Bagle-Related Malware Variants; A Note from David Litchfield

Published: 2005-03-01
Last Updated: 2005-03-01 21:44:57 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)

Several Beagle-Related Malware Variants on the Loose



[Updated 12:46 EST to point to Kaspersky's blog and 15:44 EST to mention the CME initiative.]

We received reports of several malware specimens that anti-virus vendors have begun identifying as Beagle/Bagle worm variants or related file droppers. The short version of the story is that there are several Beagle/Bagle-related specimens on the loose today. Some of them are not currently detected by anti-virus engines. Please keep an eye on this threat as it develops, and update your signatures as soon as your anti-virus vendor updates them.



This quick note describes one of these variants, which Mike Spangler submitted to us yesterday at Feb 28 9:21 PM EST 2005. We received several other reports of this specimen in the subsequent hours. The victim received this specimen as an email attachment named newprice.zip (MD5 sum 9a85bac91432d50d8196a6e74b1a9784). The e-mail had no subject line, and only had the word "price" in its body. The attached Zip archive contained a file named doc_01.exe in a subdirectory "Loader". Although we could not find traditional anti-virus engines that would identify this specimen last night, we were able to scan it using Norman's on-line SandBox scanning service at . The scan's results suggested that doc_01.exe was a file dropper, designed to download an executable named zo2.jpg from a remote site. The executable, downloaded executable, not available at the time, would be saved locally as "C:\WINDOWS\_re_file.exe".



F-Secure seems to detect this specimen as Email-Worm.Win32.Bagle.bb, and says that this file is being dropped by Bagle.be:

F-Secure Bagle.bb:
http://www.f-secure.com/v-descs/bagle_bb.shtml

F-Secure Bagle.be: http://www.f-secure.com/v-descs/bagle_be.shtml

F-Secure blog comment: http://www.f-secure.com/weblog/#00000487



Symantec seems to refer to this specimen as Trojan.Tooso.B. According to Symantec, this specimen "is being emailed out by copies of W32.Beagle.BG@mm and W32.Beagle.BH@mm":

Symantec Tosco.B: http://www.sarc.com/avcenter/venc/data/trojan.tooso.c.html

Symantec Beagle.BG@mm: http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.bg@mm.html

Symantec Beagle.BH@mm: http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.bh@mm.html



McAfee seems to refer to this specimen as W32/Bagle.dldr and associates it with the W32/Bagle.bn@MM worm:

McAfee Bagle.dldr: http://vil.nai.com/vil/content/v_129512.htm

McAfee Bagle.bn@MM: http://vil.mcafeesecurity.com/vil/content/v_132120.htm



Computer Associates seem to refer to this specimen as Win32.Glieder.O, though there's a chance they are referring to a different variant of this specimen. According to CA, this trojan "has been spammed out to users by Win32.Bagle.BA":

CA Glieder.O (with screenshots): http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41947
CA Bagle.BA: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41948



Kaspersky detects today's Beagle/Bagle-related specimens as Email-Worm.win32.Bagle.bb-.bf. Their blog entry for today, titled "Bagle and SpamTool hand in hand" suggests that a recent update to a popular spamming tool was written with today's outbreak in mind. Kaspersky's analysts suspect that the persons behind today's outbreak are "creating new variants every time we release updates to block previous versions."
Kaspersky blog: http://www.viruslist.com/en/weblog



The naming and identification confusion, associated with today's outbreaks, remind mind of the diary I wrote in
. On that day we also had several Beagle/Bagle variants floating around. We really do need a more effective way of referring to such specimens on the day of the outbreak--I am greatly looking forward to the appearance of the CME (Common Malware Enumeration) initiative, which was announced in our Diary on .

An Update Regarding the December 23rd Diary Entry



We received a note from David Litchfield, referring to the Diary we
published on December 23rd, 2004. In the diary, Erik commented upon David's
disclosure of vulnerability details. David's response, published in this
Diary with his permission, is presented below:



"Hi Erik,



Found this today -
http://isc.sans.org/diary.php?date=2004-12-23 and would
like to put the record straight. When these advisories were posted I was
away in Australia getting married; someone else posted them and, yes, whilst
the timing was bad, it was thoughtless - and not intended to be rude, mean
or spiteful. As you'll appreciate, being labeled a "grinch" for something
that wasn't really in your control is upsetting. If I had been in the U.K.
and working on the 1st December the advisories would have been posted on
time and not two days before Christmas.



I'd appreciate it if you could either remove the comments or at least update
them.



Cheers,

David"




Lenny Zeltser

ISC Handler of the Day

http://www.zeltser.com
Keywords:
0 comment(s)

Comments


Diary Archives