Maker tech hub — AI · 3D print · Pi · ESP32 · plus the classic tech archive.

Free ESP32 kit · Books · Network Ninja · Archive

Classic tech archive. From the original averyjparker.com tech blog — historical context; pair with modern guides where noted. Full archive · Maker projects · Network Ninja

Classic tip · Classic

New Beagle/Bagle variant?

So, I submitted the suspicious attachment I received to virustotal (scan@virustotal.com with SCAN in the subject and suspicious file as attachment.) What follows below is the report I received. It lo…

Written by

Avery J. Parker

IT veteran, maker educator, and author of Network Ninja, 3D Printing Mastery, and AI Workflow Mastery. Business IT: Diversified Tech Solutions.

So, I submitted the suspicious attachment I received to virustotal (scan@virustotal.com with SCAN in the subject and suspicious file as attachment.) What follows below is the report I received. It looks like some of the big names (Symantec, McAfee are not finding anything wrong with it at this point, with the hodge-podge of names it will take me a bit to investigate and see if the other vendors are tagging it as new.)



Anyway here was my reply from virustotal...



Virus Total

_______________________________________________



Scan results

File: Bennet.zip

Date: 11/23/2005 17:47:52 (CET)

----

AntiVir 6.32.0.6/20051123 found

Avast 4.6.695.0/20051123 found

AVG 718/20051123 found

Avira 6.32.0.6/20051123 found

BitDefender 7.2/20051123 found

CAT-QuickHeal 8.00/20051123 found [(Suspicious) - DNAScan]

ClamAV devel-20051108/20051123 found

DrWeb 4.33/20051123 found

eTrust-Iris 7.1.194.0/20051123 found nothing

eTrust-Vet 11.9.1.0/20051123 found nothing

Fortinet 2.48.0.0/20051123 found

F-Prot 3.16c/20051123 found

Ikarus 0.2.59.0/20051123 found nothing

Kaspersky 4.0.2.24/20051123 found

McAfee 4634/20051122 found nothing

NOD32v2 1.1299/20051123 found

Norman 5.70.10/20051123 found

Panda 8.02.00/20051123 found nothing

Sophos 3.99.0/20051123 found nothing

Symantec 8.0/20051122 found nothing

TheHacker 5.9.1.042/20051122 found nothing

VBA32 3.10.5/20051123 found





It is worth mentioning that if you have banned .exe's within zip files it should be banned anyway.

It looks as though this is part of a wave of new bagle's today. I don't see anything particularly innovative in it's way of spreading, the email I got was on the catchall account of a domain I monitor. It was to and from non-existent usernames (abc123 was the sending & receiving username) and the subject was "Alice", signed Anne with an attachment of Bennet.zip. Not much trickery like we're seeing with the Sober variant's "you have visited illegal websites" "please review the charges in the attached file" kind of social engineering.

On the Sober.X (or Sober.Y depending on the AV vendor) front... since this time Monday, one mailserver I monitor for a local small business has filtered ~280+ copies of the Sober.y (or sober.x) virus. (I'm including about 6 that were filtered as banned (exe in a zip) between 2 and 3:30PM Monday when clamav updated to recognize the new bug.) In that same span there have been 2-5 phishing emails, 3 or so bagels... and another couple of banned attachements (again, application within a zip file) that may be some of these new bagel variants before clamav had detection.

As always, if you've got a network email setup, you might consider installing server antivirus. (Clamav on a linux server has been VERY effective for me.) I keep a few mail connections unfiltered so if/when there's an outbreak I can actually get a first hand look at the bugs/submit to online scanners, etc... but that's just me. The big thing that's impressed me with clamav is the speed of updates. Most days there's at least one update, some there are 4-6 depending on conditions. Phishing emails are among those that are detected as well. On the main mail server at the house... I use Amavis-new which handles scanning, then passes off emails to spamassassin, and clamav as necessary. (It also can deal with other virus scanners if you want multiple scans of incoming messages.)

Incidents.org has some coverage now on this.