Just an additional info for WORM_BAGLE.DA.
After the bagle storm yesterday, we were still receiving reports that new bagle variants were being seen. So we decided to again download the links found on the WORM_BAGLE, TROJ_BAGLE and TROJ_DLOADER. I didnt find a new bagle variant, although i’m still downloading from the links, what I found out is a completely different thing.
On WORM_BAGLE.DA download links, there are 8 download links which connects to a web.php, 2 links were already down while the other 6 were downloaded successfully.
http://{blocked}/web.php
Inside the file web.php, are the email addresses used by WORM_BAGLE in its FROM FIELD. This may also be the reason why I couldnt simulate the E-Mail propagation of the worm since I tested it on an environment without internet connection. Each download link contains a different domain and name.
On one web.php
- tom@atomate.com
- tom@atomco.com
- tom@atomcreation.com
- tom@atomdigitaldesign.co.uk
- tom@atomic.com.au
- tom@atomic4.com
- tom@atomicamps.com
- tom@atomicblender.com
- tom@atomicdesign.tv
- tom@atomicdesigninc.com
- tom@atomicdog.com
- tom@atomicmarketing.com
- tom@atomicspatula.com
- …
and on another
- shkim301@korea.com
- shkim303@ktsolution.co.kr
- shkim303@ktsolutions.co.kr
- shkim304@hanmail.net
- shkim304@samsung.co.kr
- shkim3057@hanmail.net
- shkim30@daewoo.com
- shkim30@famecs.co.kr
- shkim30@hanmail.net
- …
yet on another
- kathleen@kent.net
- kathleen@kenwoodcc.net
- kathleen@keogh.net.au
- kathleen@kephart.net
- kathleen@keplers.com
- kathleen@keromail.com
- kathleen@kerraisle.com
- kathleen@kerstondesignteam.com
- kathleen@kertzmanweil.com
- …