Virus alert!

[SagaLore]

I can't identify an infector file I just quarantined at our gateway. InoculateIT and Command AV can't detect it.

It came as Alive_Condom.vbs - and contained simple code with a long ASCII array it uses to assemple an executable file, then runs that file. I deleted the lines for the execution and ran it, to generate vss_2.exe. Scanning that also yields no results. I don't find any mention of a new virus like this.

Anybody else receive something like this?

edit:
Okay I found it. I used Panda's online scan to detect it.

It's Bagel.AB. When will these variants ever stop???

 

[techfuzz]

I think we got something like that the other day. Our gateway stopped a message identified as a "bloodhound virus" but it had no official name. We hadn't ever received anything like that before.

techfuzz

 

[GoingUp]

well I just installed new norton virus defs for today the 28th

 

[SagaLore]

Okay I found it. I used Panda's online scan to detect it.

It's Bagel.AB.

 

[aux]

Originally posted by: SagaLore
Okay I found it. I used Panda's online scan to detect it.

It's Bagel.AB.

Bagel or Beagle?

 

[Gravity]

Updated Norton...thanks!

 

[SagaLore]

Originally posted by: aux

Originally posted by: SagaLore
Okay I found it. I used Panda's online scan to detect it.

It's Bagel.AB.

Bagel or Beagle?

Panda calls it Bagle. Looks like Symantec calls it Beagle.

 

[FoBoT]

Originally posted by: techfuzz
Our gateway stopped a message identified as a "bloodhound virus" but it had no official name. We hadn't ever received anything like that before.

techfuzz

somebody came in with thier laptop infected with this today

i grabbed her PAB and spoofed email to a bunch of people trying to spread itself

 

[Harvey]

I searched Computer Associates' Virus Info Center for Alive_Condom and found this info. They identify it as Win32.Bagle.X.

The attachment name is chosen from the following list:

Alive_condom
Counter_strike
Details
Details
Document
Half_Live
I_search_for_you
Info
Information
Joke
Loves_money
Manufacture
Message
MoreInfo
Nervous_illnesses
Readme
Smoke
Toy
You_are_dismissed
You_will_answer_to_me
Your_complaint
Your_money
text_document
the_message
the_message

The extension can be one of the following:

.exe
.scr
.com
.zip
.vbs
.hta
.cpl

Searching Symantec for Bagle.X gets this info, dated 4/2April 26, 2004 which they call Beagle.W. They also show an even newer alert, today, for another varient to which they assign the .X extension, W32.Beagle.X@mm. :frown:

Looks like Bagle and Beagle are interchangable, but the dog wouldn't go as well with lox cream cheese.

 

[gistech1978]

i think i got this one this AM
its long since deleted, but it was a picture of a girl, and the files attached were a jpg and information.cpl

 

[sillymofo]

Netsky-V Worm

 

[911paramedic]

An email was sent to you that we have identified as containing a virus. Below find the details of the infected message:

From: cscappos@earthlink.net
Date: Tue, 27 Apr 2004 23:11:31 -0400
Virus Name: W32/Netsky.p@MM
Infected Attachments: 0000014a.EML, /0000014a.EML
, /0000014a.EML/0000008d.EML
, /message.scr


Sincerely,

The Cox High Speed Internet Team

Got this message today, I guess they delete these before I even get them now.

 

[KLin]

I got an email in my yahoo account with a .vbs attachment. I wanted to d/l it and take a look at the code, but it wouldn't let me. It showed the virus as being W32.Beagle.X@mm

 

[silverpig]

NAV has updated its virus definitions twice on me today.

 

[Shockwave]

I prefer bagels. Beagles arent nearly as tasty, even with cream cheese.

 

[Zim Hosein]

Originally posted by: silverpig
NAV has updated its virus definitions twice on me today.

Same here!

Thanks for the post SagaLore :beer:

 

[SagaLore]

What gets me, is the fact that it is a simple vbs script and none of the virus scanners were picking it up. It obvious it's a virus when you look at the script. It creates an exe file, then executes it - at least heuristics should be all over it! But nope...

This shows how important a personal firewall can be - one that protects applications and authorizes application activity (zone alarm, sygate, etc.). If I were a gullible user and double clicked on that vbs script, in theory the personal firewall would either ask me if that exe was okay to run, or look at the activity over port 25 and stop it.

 

[MikePanic]

at least 10-15% of my email's lately have been infected w/ something or other... this is really starting to get old

 

[earthling30]

I agree! It seems to be coming from the spammers mostly on my end of the States! Ha, I'm so glad for them! :laugh: What goes around comes around. Not that I had anything to do with those viruses floating around, I'm just a potential victim like every other user on the internet.

 

[Regs]

Man, this is a nasty little ah heck.

 

[techfuzz]

I like that we block every vbs file that comes through the gateway where I work. There isn't a single change that a user can get it through via email and causing a catastrophe here.

techfuzz

 

[SagaLore]

Originally posted by: techfuzz
I like that we block every vbs file that comes through the gateway where I work. There isn't a single chance that a user can get it through via email and causing a catastrophe here.

techfuzz

Same here. I block every executable (exe, com, vbs, scr, etc.) and archive it into a mailbox, then send a notice to the user. If the user was expecting it for legitimate reasons, they'll forward the notice to me and I'll release it for them if I determine it's safe.

Our network stays 100% virus free.

I'm actually having more problems with spyware than anything...

 

[MazerRackham]

Info from UC Irvine:

Last night around 8:30pm, a new variant of the phatbot worm hit
campus. This one exploits one of the vulnerabilties that was patched
by one of the Microsoft patches (MS04-011) that were released 2 weeks
ago. As of 7am this morning almost 200 campus systems have been
infected with this worm. A list of systems is below - if any are in
your area please get them cleaned up ASAP.

 

[SuepaFly]

I've been getting virus infected email for a few days now. Pretty tricky too since they have something on the bottom like a "scanned by AVG no virus detected". Also my friend sent me some email from a hotmail address saying "I found you on a spamming list, is this true?" Didn't think hotmail could do that.

 

[Jzero]

Originally posted by: SagaLore

Originally posted by: techfuzz
I like that we block every vbs file that comes through the gateway where I work. There isn't a single chance that a user can get it through via email and causing a catastrophe here.

techfuzz

Same here. I block every executable (exe, com, vbs, scr, etc.) and archive it into a mailbox, then send a notice to the user. If the user was expecting it for legitimate reasons, they'll forward the notice to me and I'll release it for them if I determine it's safe.

Our network stays 100% virus free.

I'm actually having more problems with spyware than anything...

Me too. Between SUS and rule-based file filtering, I don't lose much sleep over viruses these days.