NEWS FROM THE LAB - Saturday, March 13, 2004

More on Bagle.N Posted by Mikko @ 22:30 GMT

This new Bagle has new features, and it seems to be spreading surprisingly fast for a new email worm to be found during a weekend.

Once again it sends itself in variable emails as PIF or EXE attachments.

Icon for the EXE resembles the icon for a Windows TrueType font:


This time the executable can be packed inside a ZIP or RAR archive, which can be encrypted with a password. Password can be shown as a BMP/GIF/JPG image, like this:

Password: Password

This is of course an attempt to make the work of gateway-based scanners harder (after we and many other vendors started detecting password-protected ZIP files sent by previous Bagles).

Interestingly, underneath the packing and encryption, there's an ASCII graphic picture...of a butterfly. Along with some texts we won't be repeating here.