[ale] (fwd) Is this a trojan/worm?

Chris Ricker kaboom at gatech.edu
Fri Mar 5 11:22:10 EST 2004


On Fri, 5 Mar 2004 tfreeman at intel.digichem.net wrote:

> 
> Well this showed up in the mail spool this morning. It is obvious social 
> engineering here, as I run this domain, but I'm usure what these turkeys 
> are trying to do. Pine didn't bring all the headers forward, but I can get 
> them to you if you want it.
> 
> Anybody recognize this garbage??

It's a W32.Bagle at MM (sometimes spelled Beagle) Windows email / Windows user
exploit. It's stored in a password-protected zip file attached to an email
which contains the password in the email body. There are enough clueless
users that read the password, unzip the attachment, and execute the
attachment that it's spreading very well.

Because the zip is password-encrypted, it eludes some email virus scanners.
You can filter it pretty easily using body_checks if you like, or you can
patch amavis-new easily to read the password, unzip the attachment, and 
then run whatever virus scanner you have hooked into amavis over it....

later,
chris



More information about the Ale mailing list