NEWS FROM THE LAB - Tuesday, August 31, 2004

More details on Bagle.AK Posted by Alexey @ 21:48 GMT

The e-mail that Bagle.AK was spammed in contains an archive named FOTO.ZIP. Inside there's an HTML file and an EXE file named FOTO.EXE. This EXE file is a dropper. It drops and activates a DLL file that kills processes belonging to updating components of several anti-virus programs.

After this it tries to connect to 131 different websites and to download a file named B.JPG from them. The URLs are hardcoded in the program's body. So far we have not been able to get the contents of that file for investigation. The sites are either down or the file is simply not there.
The sites