NEWS FROM THE LAB - Monday, November 1, 2004

Some Bagle download sites becoming active Posted by Mikko @ 07:51 GMT

Bagle's sites
The latest Bagle variant, like most of the recent variants, contains a long list of web addresses. Infected machines periodically go through this list and try to download and run a program from there.

The latest site list contains 168 different web sites, located all over the world. We believe many of these sites are actually not hacked or otherwise controlled by the virus writers, but are just put in there as camouflage.

We've been checking the contents of the URLs over the weekend. They were all showing "404" until last night, when two of the URLs become active. We're now trying to shut them down and are analysing what the program that was posted there exactly does.

If you're a sysadmin and would like to filter access to these sites from your network, the domains in question were www.vbw.info and www.esperanzaparalafamilia.com.