Just an additional info for WORM_BAGLE.DA.
After the bagle storm yesterday, we were still receiving reports that new bagle variants were being seen. So we decided to again download the links found on the WORM_BAGLE, TROJ_BAGLE and TROJ_DLOADER. I didnt find a new bagle variant, although i’m still downloading from the links, what I found out is a completely different thing.
On WORM_BAGLE.DA download links, there are 8 download links which connects to a web.php, 2 links were already down while the other 6 were downloaded successfully.
Inside the file web.php, are the email addresses used by WORM_BAGLE in its FROM FIELD. This may also be the reason why I couldnt simulate the E-Mail propagation of the worm since I tested it on an environment without internet connection. Each download link contains a different domain and name.
On one web.php
and on another
yet on another