From incidents.org. I appears to be a new W32/Bagel Variant.
Updated August 9th 2004 18:59 UTC (Handler: Jason Lam)
* New Bagle (?) Variant Spreading
New Bagle Variant Spreading
(PRELIMINARY)
We received a number of reports about a new virus. Based on a quick string
analysis, we assume that this will be classified as a new member of the
'Bagle' family. Like prior versions, it includes a lengthy list of URLs.
Infected systems will likely attempt to contact these URLs.
All samples received so far arrive without subject. Attachment names are
price2.zip, new__price.zip, 08_price.zip, and likely others. The text reads
'price' or 'new price'.
According to handler Tom Liston, the virus installs itself as
C:\WINDOWS\System32\WINdirect.exe and runs from
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe
Mitigation
Temporarily quarantine or reject all ZIP attachments until AV vendors
release signatures. You may also want to monitor or block access to the URLs
listed below. Some AV programs do already identify this new version as
malware using generic signatures.
AV Summary (fromhttp://www.virustotal.com )
BitDefender 7.0/20040809found [JS.Dword.dropper]
ClamWin devel-20040727/20040809 found [Trojan.JS.RunMe]
eTrustAV-Inoc 4641/20040728 found [JScript/IE.VM.Exploit]
F-Prot 3.15/20040809 found nothing
Kaspersky 4.0.2.23/20040809 found nothing
McAfee 4383/20040804 found [JS/IllWill]
NOD32v2 1.835/20040806 found [Win32/IE.Dword unknown infection type
(Exploit)]
Norman 5.70.10/20040806found [W32/Malware]
Panda 7.02.00/20040809found [Fichero Sospechoso]
Sybari 7.5.1314/20040809 found [JScript/IE.VM.Exploit]
Symantec8.0/20040808found nothing
TrendMicro 7.000/20040804 found nothing
List of URLs (and respective IPs)
Note: From past experience, only a small number of these sites is
compromised (if any at all) to update the virus. Most of the sites serve as
decoys. However, virus infected systems will access these sites and if you
for example use a web proxy, you may be able to find infected systems.
We do not know if any of these sites are used to update the code, or if they
are just used to collect information about infected systems.
http://polobeer.de/2.jpg
http://r2626r.de/2.jpg
http://kooltokyo.ru/2.jpg
http://mmag.ru/2.jpg
http://advm1.gm.fh-koeln.de/2.jpg
http://evadia.ru/2.jpg
http://megion.ru/2.jpg
http://molinero-berlin.de/2.jpg
http://dozenten.f1.fhtw-berlin.de/2.jpg
http://shadkhan.ru/2.jpg
http://sacred.ru/2.jpg
http://kypexin.ru/2.jpg
http://www.gantke-net.com/2.jpg
http://www.mcschnaeppchen.com/2.jpg
http://www.rollenspielzirkel.de/2.jpg
http://134.102.228.45/2.jpg
http://196.12.49.27/2.jpg
http://aus-Zeit.com/2.jpg
http://lottery.h11.ru/2.jpg
http://herzog.cs.uni-magdeburg.de/2.jpg
http://yaguark.h10.ru/2.jpg
http://213.188.129.72/2.jpg
http://thorpedo.us/2.jpg
http://szm.sk/2.jpg
http://lars-s.privat.t-online.de/2.jpg
http://www.no-abi2003.de/2.jpg
http://www.mdmedia.org/2.jpg
http://abi-2004.org/2.jpg
http://sovea.de/2.jpg
http://www.porta.de/2.jpg
http://matzlinger.com/2.jpg
http://pocono.ru/2.jpg
http://controltechniques.ru/2.jpg
http://alexey.pioneers.com.ru/2.jpg
http://momentum.ru/2.jpg
http://omegat.ru/2.jpg
http://www.perfectgirls.net/2.jpg
http://porno-mania.net/2.jpg
http://colleen.ai.net/2.jpg
http://ourcj.com/2.jpg
http://free.bestialityhost.com/2.jpg
http://slavarik.ru/2.jpg
http://burn2k.ipupdater.com/2.jpg
http://carabi.ru/2.jpg
http://spbbook.ru/2.jpg
http://binn.ru/2.jpg
http://sbuilder.ru/2.jpg
http://protek.ru/2.jpg
http://www.PlayGround.ru/2.jpg
http://celine.artics.ru/2.jpg
http://www.artics.ru/2.jpg
http://www.laserbuild.ru/2.jpg
http://www.lamatec.com/2.jpg
http://www.sensi.com/2.jpg
http://www.oldtownradio.com/2.jpg
http://www.youbuynow.com/2.jpg
http://64.62.172.118/2.jpg
http://www.tayles.com/2.jpg
http://dodgetheatre.com/2.jpg
http://www.thepositivesideofsports.com/2.jpg
http://www.bridesinrussia.com/2.jpg
http://fairy.dataforce.net/2.jpg
http://www.pakwerk.ru/2.jpg
http://home.profootball.ru/2.jpg
http://www.ankil.ru/2.jpg
http://www.ddosers.net/2.jpg
http://tarkosale.net/2.jpg
http://www.boglen.com/2.jpg
http://change.east.ru/2.jpg
http://www.teatr-estrada.ru/2.jpg
http://www.glass-master.ru/2.jpg
http://www.zeiss.ru/2.jpg
http://www.sposob.ru/2.jpg
http://www.glavriba.ru/2.jpg
http://alfinternational.ru/2.jpg
http://euroviolence.com/2.jpg
http://www.webronet.com/2.jpg
http://www.virtmemb.com/2.jpg
http://www.infognt.com/2.jpg
http://www.vivamedia.ru/2.jpg
http://www.zelnet.ru/2.jpg
http://www.dsmedia.ru/2.jpg
http://www.vendex.ru/2.jpg
http://www.elit-line.ru/2.jpg
http://pixel.co.il/2.jpg
http://www.milm.ru/2.jpg
http://dev.tikls.net/2.jpg
http://www.met.pl/2.jpg
http://www.strefa.pl/2.jpg
http://kafka.punkt.pl/2.jpg
http://www.rubikon.pl/2.jpg
http://www.neostrada.pl/2.jpg
http://werel1.web-gratis.net/2.jpg
http://www.tuhart.net/2.jpg