LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-29-2010, 06:41 PM   #1
kaz2100
Senior Member
 
Registered: Apr 2005
Location: Penguin land, with apple, no gates
Distribution: Debian testing woody(32) sarge etch lenny squeeze(+64) wheezy jessie
Posts: 1,436

Rep: Reputation: 83
Where is Worm.Bagle.AT?


Hya,

The other day, I downloaded a mail archive (text file, almost 150000 lines).

When it was scanned by clamscan,
Code:
>cat suspicious_File | clamscan -
stdin: Worm.Bagle.AT FOUND
Worm.Bagle.AT shows up.

Web search says that Worm.Bagle comes as mail attachment.

So, I tried to identify where worm is.

Step 1. spilt into small files.
Code:
 split -l 10000 suspicious_file
Step 2. which part worm resides.
Code:
 clamscan xa*
xaa:OK
.
           (many lines)

----------- SCAN SUMMARY -----------
Known viruses: 820141
Engine version: 0.96.1
Scanned directories: 0
Scanned files: 15
Infected files: 0
Data scanned: 13.10 MB
Data read: 5.26 MB (ratio 2.49:1)
Time: 36.063 sec (0 m 36 s)
Then the worm is gone. ???

T thought that worm was cut by split command, so I used different size fraction, then result is same.

I am totally lost.

Can anybody please explain this situation?

Last edited by kaz2100; 08-29-2010 at 06:47 PM. Reason: clean up
 
Old 08-29-2010, 08:14 PM   #2
14moose
Member
 
Registered: May 2010
Posts: 83

Rep: Reputation: Disabled
Hi -

The worm was probably never a threat to your Linux system.

It's carried in the payload of your e-mail, which is in the MIME attachement. MIME is uuencoded; the payload are some files which are in turn encoded in a .zip file.

You can get details about a similar worm here:
http://www.cromwell-intl.com/securit...e/bagel.z.html

'Hope that helps
 
Old 08-30-2010, 05:32 AM   #3
Luckily
LQ Newbie
 
Registered: Aug 2010
Posts: 1

Rep: Reputation: 0
Bagle.A is a worm without destructive effects that spreads via e-mail in a message with the subject Hi and an attached file with a name that consists of several random characters and has an EXE extension. Bagle.A attempts to connect to several web pages through the port 6777, in order to update itself and make an inventory of the affected users. However, these web pages have been disabled. In addition, it has code that allows it to download files from the Internet and run them on the affected computer.So do not hesitate to remove it from your computer!
Maybe you can get some help here: http://www.instantspywareremoval.com
 
Old 09-06-2010, 12:06 AM   #4
kaz2100
Senior Member
 
Registered: Apr 2005
Location: Penguin land, with apple, no gates
Distribution: Debian testing woody(32) sarge etch lenny squeeze(+64) wheezy jessie
Posts: 1,436

Original Poster
Rep: Reputation: 83
Hya,

Thank you for your replies.

The reason clamscan did not detect worm in fragmented files might be:
Fragmented files do not look like mail archive (do not start with From line).

I cut that archive into 2300+ pieces at every "From ..." line, I know where worm resides in that archive, it is exterminated.

Happy Penguins!
 
  


Reply

Tags
clamav, worm


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Lupper Worm Capt_Caveman Linux - Security 13 02-27-2006 11:07 AM
Worm.SomeFool.Q marsques Linux - Security 2 12-20-2004 01:26 AM
Is this a virus / worm? rioguia Linux - Security 1 11-17-2004 05:22 PM
beat the worm!!!! engnet Linux - Networking 14 01-27-2004 02:18 PM
How do you get a virus or worm? BajaNick Linux - Security 12 08-13-2003 09:57 AM


All times are GMT -5. The time now is 01:45 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration