Just a while back, we received about 1000++ spammed emails with zipped attachment within an hour. The attachment is a sample of the infamous trojan bagle which is to be detected as TROJ_BAGLE.CD. This malware drops “anti_troj.exe” in the %system% directory then creates a registry entry to enable the execution of the malware upon system startup.
Click the following link for the email details: TROJ_BAGLE.CD
Update (JoneZ, 16 December 2005 03:15:35)
After merely 5 hours, we received another wave of trojan bagle. The attachments have similar behavior but differ in MD5 hash. The filename of the unzipped file attachments also differs, the first sample is S3700020.exe while the second is DSC00017.exe.
Update (JoneZ, 16 December 2005 05:05:14)
We already have the sample for the possible worm component of these troj_bagles. Sample already forwarded to the Service Team for processing.
Update (JoneZ, 16 December 2005 06:59:36)
The VR for TROJ_BAGLE.CD is already posted here and the worm component will be detected as WORM_BAGLE.CD.