"Updated kernel packages available for Red Hat Enterprise Linux 3"
"On AMD64 systems, a fix was made to the eflags checking in 32-bit ptrace emulation that could have allowed local users to elevate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0001 to this issue."
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
CVEs (cve.mitre.org): CAN-2004-0001
Bagel AV Vendor Summary
Reports to the ISC indicate that AV gateways intercepting this worm and configured to "Autoreply" to the spoofed "From:" source are once again causing needless congestion (see SOBIG issues). Offenders should consider changing this configuration.
Three write-ups specify the worm's email will have an attachment "Length: 15,872 bytes" and one write-up says it is "an .exe file extension and consists of 3 - 11 randomly-generated lowercase characters."
After infection and initiation of it's email routine AV write-ups state that Bagel "will initialize and open a TCP socket in listening mode on port 6777."
The Trojan Retrieval Routine consists of:
HTTP GET REQUEST
GET /1.php?p=6777&id=[uid value, same value as used in the registry key]
In AV Vendor write-ups so far the worm has hardcoded URLS which have not had 1.php available.
One Vendor (TrendMicro) cryptically reports "This worm may perform port scanning to connect to a remote system."
Jan 19th 2004
1 decade ago