NEWS FROM THE LAB - Wednesday, June 1, 2005

May-June portion of Bagles Posted by Ceco @ 00:33 GMT

The number of new Bagle-related downloader variants (aka: Mitglieder ) that we monitor has grown up to 8 in the past few hours. The downloaders are very similar. When run, they all drop a DLL (named WIWSHOST.EXE, more information here: Bagle.BO ) and inject it into Explorer.EXE address space. The dropped DLLs can be grouped into two groups. The difference between the two groups is the slightly changed set of URLs that they use to additionally download malware. Currently some variants are under analysis and updates will be provided shortly.

We continue to monitor this development and updates will be provided promptly. Thus, do not be surprised if you see databases ending _08.