Redhat Kernel Packages (one AMD64 CVE security item), Bagel AV Vendor Summary

Published: 2004-01-19
Last Updated: 2004-01-19 19:04:49 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
"Updated kernel packages available for Red Hat Enterprise Linux 3"

Advisory: RHSA-2004:017-06
"On AMD64 systems, a fix was made to the eflags checking in 32-bit ptrace emulation that could have allowed local users to elevate their privileges. The Common Vulnerabilities and Exposures project ( has assigned the name CAN-2004-0001 to this issue."

Affected Products:
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)

CVEs ( CAN-2004-0001

Bagel AV Vendor Summary

Reports to the ISC indicate that AV gateways intercepting this worm and configured to "Autoreply" to the spoofed "From:" source are once again causing needless congestion (see SOBIG issues). Offenders should consider changing this configuration.

Three write-ups specify the worm's email will have an attachment "Length: 15,872 bytes" and one write-up says it is "an .exe file extension and consists of 3 - 11 randomly-generated lowercase characters."

After infection and initiation of it's email routine AV write-ups state that Bagel "will initialize and open a TCP socket in listening mode on port 6777."

The Trojan Retrieval Routine consists of:

"[HTTP connection]
GET /1.php?p=6777&id=[uid value, same value as used in the registry key]
User-Agent: beagle_beagle"

In AV Vendor write-ups so far the worm has hardcoded URLS which have not had 1.php available.

One Vendor (TrendMicro) cryptically reports "This worm may perform port scanning to connect to a remote system."

Patrick Nolan
0 comment(s)


Diary Archives