Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Hi (fwd)

  • From: Thor Larholm
  • Date: Thu Mar 18 18:16:03 2004

> From: Matthew Sullivan [mailto:matthew@sorbs.net] 
> It's another varient of Bagle...
> 
> My analysis of it is at: http://www.au.sorbs.net/virus.explain.txt 
> - since then Symantec has release it's more detailed explaination 
> under the headings for Bagle.r and Bagle.s

This variant tries to exploit the object data vulnerability in IE that
has long since been patched. You can also protect against this
vulnerability, and any possible future variants, by locking down the My
Computer zone. I detailed this in

http://www.securityfocus.com/archive/1/346174/2003-11-30/2003-12-06/2

Those steps are also implemented as one of many fixes in Qwik-Fix (
www.qwik-fix.net ).

The worm is dead now but managed to spread quite a bit before AV vendors
had updated signatures. We have to start migrating away from reactive
security and focus more on proactive security solutions. The Bizex worm
was a good example of this, infecting 50.000 machines in 3 hours and
disabling itself before any AV vendors had signatures for it.



Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@pivx.com
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net> 




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.