So, I submitted the suspicious attachment I received to virustotal (email@example.com with SCAN in the subject and suspicious file as attachment.) What follows below is the report I received. It looks like some of the big names (Symantec, McAfee are not finding anything wrong with it at this point, with the hodge-podge of names it will take me a bit to investigate and see if the other vendors are tagging it as new.)
Anyway here was my reply from virustotal…
Date: 11/23/2005 17:47:52 (CET)
AntiVir 18.104.22.168/20051123 found [TR/Bagle.EC]
Avast 4.6.695.0/20051123 found [Win32:Beagle-FR]
AVG 718/20051123 found [I-Worm/Bagle]
Avira 22.214.171.124/20051123 found [TR/Bagle.ED]
BitDefender 7.2/20051123 found [Trojan.Downloader.Bagle.F]
CAT-QuickHeal 8.00/20051123 found [(Suspicious) - DNAScan]
ClamAV devel-20051108/20051123 found [Worm.Bagle.Gen-9]
DrWeb 4.33/20051123 found [Win32.HLLM.Beagle.9219]
eTrust-Iris 126.96.36.199/20051123 found nothing
eTrust-Vet 188.8.131.52/20051123 found nothing
Fortinet 184.108.40.206/20051123 found [suspicious]
F-Prot 3.16c/20051123 found [security risk named W32/Mitglieder.GH]
Ikarus 0.2.59.0/20051123 found nothing
Kaspersky 220.127.116.11/20051123 found [Trojan-Downloader.Win32.Bagle.f]
McAfee 4634/20051122 found nothing
NOD32v2 1.1299/20051123 found [Win32/Bagle.DR]
Norman 5.70.10/20051123 found [W32/Bagle.FR@mm]
Panda 8.02.00/20051123 found nothing
Sophos 3.99.0/20051123 found nothing
Symantec 8.0/20051122 found nothing
TheHacker 5.9.1.042/20051122 found nothing
VBA32 3.10.5/20051123 found [suspected of Email-Worm.Bagle.22]
It is worth mentioning that if you have banned .exe’s within zip files it should be banned anyway.
It looks as though this is part of a wave of new bagle’s today. I don’t see anything particularly innovative in it’s way of spreading, the email I got was on the catchall account of a domain I monitor. It was to and from non-existent usernames (abc123 was the sending & receiving username) and the subject was “Alice”, signed Anne with an attachment of Bennet.zip. Not much trickery like we’re seeing with the Sober variant’s “you have visited illegal websites” “please review the charges in the attached file” kind of social engineering.
On the Sober.X (or Sober.Y depending on the AV vendor) front… since this time Monday, one mailserver I monitor for a local small business has filtered ~280+ copies of the Sober.y (or sober.x) virus. (I’m including about 6 that were filtered as banned (exe in a zip) between 2 and 3:30PM Monday when clamav updated to recognize the new bug.) In that same span there have been 2-5 phishing emails, 3 or so bagels… and another couple of banned attachements (again, application within a zip file) that may be some of these new bagel variants before clamav had detection.
As always, if you’ve got a network email setup, you might consider installing server antivirus. (Clamav on a linux server has been VERY effective for me.) I keep a few mail connections unfiltered so if/when there’s an outbreak I can actually get a first hand look at the bugs/submit to online scanners, etc… but that’s just me. The big thing that’s impressed me with clamav is the speed of updates. Most days there’s at least one update, some there are 4-6 depending on conditions. Phishing emails are among those that are detected as well. On the main mail server at the house… I use Amavis-new which handles scanning, then passes off emails to spamassassin, and clamav as necessary. (It also can deal with other virus scanners if you want multiple scans of incoming messages.)
Related PostsRelated Posts
- Emailing large files.... There are lot's of ways to get a file from one place to another, emailing is the first that many think of. (For larger files I'll usually just upload to a directory on the website and then email a link...) The problem with email is multiple.... 1)viruses exploit email as......
- Clamav 0.88.4 and prior DoS According to incidents.org a denial of service vulnerability has been noted in all versions of clamav prior to 0.88.4 (inclusive). At incidents last report the download for 0.88.4 was back after disappearing for a while which seemed to indicate a fix, however. I wasn't aware 0.88.4 had been released before......
- More details on php exploit from last week Ok. I have a bit of time that I can sit down and get a little more detailed on what specifically happened late last week that shut the site down for a couple days. At one point, I had updated the ezcontents script for the main site (averyjparker.com), but I......
- Another Bodybuilding Program Offering the Holy Grail? Yeah, it's getting old, right? There's another bodybuilding program that recently launched that is touting "The Holy Grail" -- you know, building muscle and burning body fat simultaneously. Is it true? Can it be done? Of course, anything is possible. But let's weed out those of you (and it will......
- $150 Added to Prosper and Another Listing Cancelled -- Why does it take 4 Days to Transfer Money into Prosper? I now have 2 AA @15% waiting on verification; $50 ready for bidding; and $150 on the way.Â The $150 will take 4 business days to get to Prosper.Â Why so long?Â Here is what Prosper says: Funds transfers Â How long will it take to transfer funds to Prosper?......
- Golf Swing Instruction: The Fundamentals of Approach Shots? Golf swing instruction is the best way of understanding the fundamentals of approach shots. The golf swing instruction manuals help in knowing the kind of approach shot you should try, or the way in which you should hit the ball. Perhaps you want to swing like John Daly? If you......
- Another Massive ID theft ring
- New Sober virus variant coming
- Another beagle virus variant
- FBI / CIA virus