Only two days have passed since the last bagle attack which was actually the reason why one of our teammates was not able to join our dinner last time. This bagle has been flooding our honeypot with 154 samples in less than 15 minutes. The sample is now being handled by the Service Team. Meanwhile, we better be ready for a possible 2nd wave.
For some details you can check the Advisories page.
Update (JoneZ, 23 December 2005 01:33:10)
We’re right about the second wave. After almost an hour, we received another file with a different md5 hash with the first sample. The executable file extracted from the first sample has a filename of DFC00027.exe while the second sample has DFC00213.exe. This sample is already being processed by the Service Team. BTW, the detection for this bagle is TROJ_BAGLE.GP.
Update (JoneZ, 23 December 2005 02:44:58)
Hmmmmm… Least expected, we have a third sample!!!!!!!!! This third sample has a filename of DFC00232.exe. Rest assured we’ll be on the lookout for a fourth sample.
Update (JJ, 23 December 2005 02:52:57)
And as Jonez was finishing the last update, the 4th wave just came in. This time, the filename is 1FC02132.exe, with an md5 of 0af4de42a046bd29b53e1005bcd0e623. Jonez is currently updating the advisories section to reflect the number of this new sample.
Update (Zobel, 23 December 2005 03:23:39)
You may now view the virus report for TROJ_BAGLE.GP for technical details.
Update (Zobel, 23 December 2005 03:39:26)
Just when we thought it’s over, here comes the 5th sample with an md5 of ae12547465888b9babc3d9f69d31effa. This time the filename is foto_65.exe and is now being handled by the Service Team. This will be detected as TROJ_BAGLE.GR.
Update (Zobel, 23 December 2005 05:09:47)
Here comes the 6th sample with the filename foto_4265.exe and md5 of fa83c7a43fd497b8af96b69f4d12cd1d. It is now detected as TROJ_BAGLE.GR.