myITforum.com
Welcome to myITforum.com Sign in | Join | Help
in Search
Site Home Home Bloggers List Blogs Photos Downloads

Harry Waldron at myITforum.com

Sharing Security Developments, and Best Practices for corporate and home users

Bagle.CZ - New variant using CPL extensions

  This new variant was massively spammed via email and while the downloader component doesn't appear to be working, this new variant can deactivate existing AV or FW software installed on the PC.  The CPL extensions are typically found inside of a zipped archieve. This modified variant bypasses detectability in most AV products and users should be cautious in handling email messages.

McAfee information on this massively spammed variant
http://vil.nai.com/vil/content/v_129588.htm

Trend information
http://secunia.com/virus_information/21411/trojbagle.cz/

Sophos information
http://www.sophos.com/virusinfo/analyses/trojdropperbc.html

ISC information
http://isc.sans.org/diary.php?storyid=665

Multiple new variants of this threat were recently mass spammed. Filenames include 1.cpl and price.cpl and may arrive in a ZIP file named newprice.zip , price_09.zip, price some number.zip , etc.  The variants seen thus far are non functional, and deemed a low risk. The first such variant drops a corrupt file (ceeweewe.exe) to the %windir%. The corrupt file is detected as W32/Bagle.dam. Detection will be enhanced in the 4580 DAT release to detect and delete these newly discovered damaged variants. This is a generic detection covering many variants of the W32/Bagle@MM virus when sent in "CPL" format.

Published Sep 12 2005, 04:10 PM by hwaldron

Comments

No Comments

This Blog

Syndication
Copyright - www.myITforum.com, Inc. - 2007 All Rights reserved.
Powered by Community Server (Commercial Edition), by Telligent Systems