Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New Mass Mailing Virus - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Mass Mailing Virus

New Mass Mailing Virus

A new mass mailing virus is spreading around the Internet today. Most of the Anti-Virus vendors are calling it Bagle.B. This virus harvests email addresses from infected computers and uses those addresses as the To: address while spoofing the From: address. The primary characteristics of the emails it sends are as follows:

* Subject: ID <random characters>... thanks

* Body:

* Yours ID <random characters>

* - -

* Thank

* Attachment: <random characters>.exe

If the attachment is opened, it will create a backdoor on tcp port 8866 and
will search 4 websites for email addresses to announce the IP address of
the infected computer to would-be hackers. Afterwards the infected
computer will start mass-mailing the virus laden emails to any email
addresses it finds on the infected computer.

Verify that your Anti-Virus software is up to date, and continue to practice safe computing practices. If you were not expecting the attachment don't touch it.

For more technical details please check the following websites.

Symantec -

McAfee -

Sophos -

(or your favorite Anti-Virus Vendor's website)

Thanks to Scott Fendley for the use of this information.

New worms and viruses

Today has been a busy day for SysAdmin's. There has been an explosion of new worms and malware seen today. It is important for everyone to use extreme care for the next few days as this activity shakes out.

50% Increase in Email Fraud and Phishing in January

According to an article at, " E-mail fraud and phishing scams grew by more than 50% in January, with an average of 5.7 new, unique attacks sent out to millions of consumers each day." Check out the article at

Handler on Duty

Deb Hale

279 Posts
ISC Handler
Feb 18th 2004

Sign Up for Free or Log In to start participating in the conversation!