RE: [Full-Disclosure] (no subject)

[Corey Hart]

From incidents.org.  I appears to be a new W32/Bagel Variant.

Updated August 9th 2004 18:59 UTC (Handler: Jason Lam) 
* New Bagle (?) Variant Spreading
New Bagle Variant Spreading 

(PRELIMINARY) 

We received a number of reports about a new virus. Based on a quick string
analysis, we assume that this will be classified as a new member of the
'Bagle' family. Like prior versions, it includes a lengthy list of URLs.
Infected systems will likely attempt to contact these URLs. 

All samples received so far arrive without subject. Attachment names are
price2.zip, new__price.zip, 08_price.zip, and likely others. The text reads
'price' or 'new price'. 

According to handler Tom Liston, the virus installs itself as
C:\WINDOWS\System32\WINdirect.exe and runs from
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe 

Mitigation 

Temporarily quarantine or reject all ZIP attachments until AV vendors
release signatures. You may also want to monitor or block access to the URLs
listed below. Some AV programs do already identify this new version as
malware using generic signatures. 

AV Summary (fromhttp://www.virustotal.com ) 


BitDefender 7.0/20040809found [JS.Dword.dropper]
ClamWin devel-20040727/20040809 found [Trojan.JS.RunMe]
eTrustAV-Inoc   4641/20040728   found [JScript/IE.VM.Exploit]
F-Prot  3.15/20040809   found nothing
Kaspersky   4.0.2.23/20040809   found nothing
McAfee  4383/20040804   found [JS/IllWill]
NOD32v2 1.835/20040806  found [Win32/IE.Dword unknown infection type
(Exploit)]
Norman  5.70.10/20040806found [W32/Malware]
Panda   7.02.00/20040809found [Fichero Sospechoso]
Sybari  7.5.1314/20040809   found [JScript/IE.VM.Exploit]
Symantec8.0/20040808found nothing
TrendMicro  7.000/20040804  found nothing
 

List of URLs (and respective IPs) 

Note: From past experience, only a small number of these sites is
compromised (if any at all) to update the virus. Most of the sites serve as
decoys. However, virus infected systems will access these sites and if you
for example use a web proxy, you may be able to find infected systems. 

We do not know if any of these sites are used to update the code, or if they
are just used to collect information about infected systems. 


 
http://polobeer.de/2.jpg
http://r2626r.de/2.jpg
http://kooltokyo.ru/2.jpg
http://mmag.ru/2.jpg
http://advm1.gm.fh-koeln.de/2.jpg
http://evadia.ru/2.jpg
http://megion.ru/2.jpg
http://molinero-berlin.de/2.jpg
http://dozenten.f1.fhtw-berlin.de/2.jpg
http://shadkhan.ru/2.jpg
http://sacred.ru/2.jpg
http://kypexin.ru/2.jpg
http://www.gantke-net.com/2.jpg
http://www.mcschnaeppchen.com/2.jpg
http://www.rollenspielzirkel.de/2.jpg
http://134.102.228.45/2.jpg
http://196.12.49.27/2.jpg
http://aus-Zeit.com/2.jpg
http://lottery.h11.ru/2.jpg
http://herzog.cs.uni-magdeburg.de/2.jpg
http://yaguark.h10.ru/2.jpg
http://213.188.129.72/2.jpg
http://thorpedo.us/2.jpg
http://szm.sk/2.jpg
http://lars-s.privat.t-online.de/2.jpg
http://www.no-abi2003.de/2.jpg
http://www.mdmedia.org/2.jpg
http://abi-2004.org/2.jpg
http://sovea.de/2.jpg
http://www.porta.de/2.jpg
http://matzlinger.com/2.jpg
http://pocono.ru/2.jpg
http://controltechniques.ru/2.jpg
http://alexey.pioneers.com.ru/2.jpg
http://momentum.ru/2.jpg
http://omegat.ru/2.jpg
http://www.perfectgirls.net/2.jpg
http://porno-mania.net/2.jpg
http://colleen.ai.net/2.jpg
http://ourcj.com/2.jpg
http://free.bestialityhost.com/2.jpg
http://slavarik.ru/2.jpg
http://burn2k.ipupdater.com/2.jpg
http://carabi.ru/2.jpg
http://spbbook.ru/2.jpg
http://binn.ru/2.jpg
http://sbuilder.ru/2.jpg
http://protek.ru/2.jpg
http://www.PlayGround.ru/2.jpg
http://celine.artics.ru/2.jpg
http://www.artics.ru/2.jpg
http://www.laserbuild.ru/2.jpg
http://www.lamatec.com/2.jpg
http://www.sensi.com/2.jpg
http://www.oldtownradio.com/2.jpg
http://www.youbuynow.com/2.jpg
http://64.62.172.118/2.jpg
http://www.tayles.com/2.jpg
http://dodgetheatre.com/2.jpg
http://www.thepositivesideofsports.com/2.jpg
http://www.bridesinrussia.com/2.jpg
http://fairy.dataforce.net/2.jpg
http://www.pakwerk.ru/2.jpg
http://home.profootball.ru/2.jpg
http://www.ankil.ru/2.jpg
http://www.ddosers.net/2.jpg
http://tarkosale.net/2.jpg
http://www.boglen.com/2.jpg
http://change.east.ru/2.jpg
http://www.teatr-estrada.ru/2.jpg
http://www.glass-master.ru/2.jpg
http://www.zeiss.ru/2.jpg
http://www.sposob.ru/2.jpg
http://www.glavriba.ru/2.jpg
http://alfinternational.ru/2.jpg
http://euroviolence.com/2.jpg
http://www.webronet.com/2.jpg
http://www.virtmemb.com/2.jpg
http://www.infognt.com/2.jpg
http://www.vivamedia.ru/2.jpg
http://www.zelnet.ru/2.jpg
http://www.dsmedia.ru/2.jpg
http://www.vendex.ru/2.jpg
http://www.elit-line.ru/2.jpg
http://pixel.co.il/2.jpg
http://www.milm.ru/2.jpg
http://dev.tikls.net/2.jpg
http://www.met.pl/2.jpg
http://www.strefa.pl/2.jpg
http://kafka.punkt.pl/2.jpg
http://www.rubikon.pl/2.jpg
http://www.neostrada.pl/2.jpg
http://werel1.web-gratis.net/2.jpg
http://www.tuhart.net/2.jpg

Re: [Full-Disclosure] M$ puts bounty out for Blaster and Sobigculprits

[Corey Hart]

To write flawed code is one thing.  To write code to expose flawed code
is another thing.  To write code to take advantage of the flawed code and
to cause damage to machines all over the world is a crime and the person
who wrote that should be brought to justice.

My 2 cents.


Eric Bowser wrote:

 What about a bounty for the original engineer who wrote the flawed OS
 components?

 On Wed, 2003-11-05 at 10:02, Vic Vandal wrote:
  M$ is offering $250K for info leading to the arrest of those
  who released Blaster and/or Sobig.  See the details here:
  http://news.com.com/2100-7355_3-5102110.html?tag=nefd_top
 
  One outcome of this will be severely limiting bragging about
  pulling off such sploits.
  And one would think those actually guilty should be real busy
  right now erasing any/all evidence (that they didn't take care
  of long ago).
 
  Maybe M$ should put out a bounty for reporting bugs in their
  crappy software without going public instead.  That might be
  more effective.
 
  Peace,
  Vic
 
  ___
  Full-Disclosure - We believe in it.
  Charter: http://lists.netsys.com/full-disclosure-charter.html
 --
 Eric J. Bowser
 330.658.9858 direct
 330.658.0123 fax

 i-TRAP Internet Security Services
 888-658-TRAP toll-free
 330.658.1040 local
 www.i-trap.net

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.netsys.com/full-disclosure-charter.html





___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] NEW windows password encryption flaw..

[Corey Hart]

all those certs and not a clue...they just spead up an old process

Darren Bennett wrote:

 Is this new? I read about it on slashdot...

 http://lasecpc13.epfl.ch/ntcrack/

 Basically, it seems that Microsoft has (yet again) screwed up the
 implementation of their encryption scheme. This makes cracking any hash
 a matter of seconds. Oops...
 --
 ---
 Darren Bennett
 CISSP, Certified Unix Admin., MCSE, MCSA, MCP +I
 Sr. Systems Administrator/Manager
 Science Applications International Corporation
 Advanced Systems Development and Integration
 ---

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.netsys.com/full-disclosure-charter.html



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html