Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Redhat Kernel Packages (one AMD64 CVE security item), Bagel AV Vendor Summary SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Redhat Kernel Packages (one AMD64 CVE security item), Bagel AV Vendor Summary
"Updated kernel packages available for Red Hat Enterprise Linux 3"

Advisory: RHSA-2004:017-06
"On AMD64 systems, a fix was made to the eflags checking in 32-bit ptrace emulation that could have allowed local users to elevate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0001 to this issue."
http://rhn.redhat.com/errata/RHSA-2004-017.html

Affected Products:
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)

CVEs (cve.mitre.org): CAN-2004-0001
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0001

Bagel AV Vendor Summary

Reports to the ISC indicate that AV gateways intercepting this worm and configured to "Autoreply" to the spoofed "From:" source are once again causing needless congestion (see SOBIG issues). Offenders should consider changing this configuration.

Three write-ups specify the worm's email will have an attachment "Length: 15,872 bytes" and one write-up says it is "an .exe file extension and consists of 3 - 11 randomly-generated lowercase characters."

After infection and initiation of it's email routine AV write-ups state that Bagel "will initialize and open a TCP socket in listening mode on port 6777."

The Trojan Retrieval Routine consists of:

"[HTTP connection]
HTTP GET REQUEST
GET /1.php?p=6777&id=[uid value, same value as used in the registry key]
User-Agent: beagle_beagle"

In AV Vendor write-ups so far the worm has hardcoded URLS which have not had 1.php available.

One Vendor (TrendMicro) cryptically reports "This worm may perform port scanning to connect to a remote system."

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html
http://vil.nai.com/vil/content/v_100965.htm
http://www3.ca.com/virusinfo/virus.aspx?ID=38019
http://www.sophos.com/virusinfo/analyses/w32baglea.html
http://www.f-prot.com/virusinfo/descriptions/bagle_a.html
http://www.messagelabs.com/viruseye/threats/list/default.asp
http://wtc.trendmicro.com/wtc/summary.asp

Patrick Nolan
 Patrick

193 Posts
Subscribe Jan 19th 2004
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!