NEWS FROM THE LAB - Thursday, November 30, 2006

It's been a while. Bagle. Posted by Mikko @ 20:08 GMT

We haven't seen new Bagle attacks in a while. The last one – and even that was an isolated one – was exactly a month ago. But now somethings up.

Bagle.GOSome of the old Bagle update URLs activated tonight, offering a new 188kB executable. This is downloaded and run by machines infected by previous Bagle variants… and it starts to spam out infected attachments with filenames talking about price lists.

The spammed e-mails include a GIF which shows a password needed to decode the ZIP files.

When the e-mail attachment is decoded and run by the user, the worm runs (as a decoy) either Notepad or Registry Editor. Notepad will display a fake error message looking like this:

UTF-8 Decoding Error

This new Bagle also uses an SSDT rootkit to hide its presence on an infected system.

Administrators: You might want to check your firewall logs for suspicious activity to www.bronko-m.ru and bpsbillboards.com… and block future access to them.

We've added detection of this variant as W32/Bagle.GO.