Again we are experiencing a storm of TROJ_BAGLES coming in. The attachment of the TROJ_BAGLE being 19_09.exe.
As I said in my previous blog we were downloading the files from the urls used by bagle. To my surprise a new sample of the WORM_BAGLE was downloaded in this site http://{blocked}/img/2.jpg! Curiousity kicked in and im in hyper mode…
After some googling, I confirmed that the packer used in this WORM_BAGLE variant (UpolyX) is a polymorphic UPX scrambler. There you go Polymorphic!
After a while I downloaded again the file from the same url. Guess what I now have a new WORM_BAGLE variant.
So this may mean two things
- 1. From time to time a batch file maybe automatically replacing the uploaded file in http://{blocked}/img/2.jpg with a repacked version of the file. And since its packer is UpolyX, it has now changed appearance.
- 2. The malware writer may manually repack his WORM_BAGLE and manually change the file uploaded in the said site.
Either way the packer which is UpolyX is one of the reasons, why there are so many variants floating around.
Another thing, the filename of the trojan mass mailled by WORM_BAGLE also changes.
The ones we are currently receiving have the filename 19_09.exe while the one I downloaded from the site has a trojan with this filename 20_09.exe. Anyone see a pattern?
The batch file I mentioned in number one may also be responsible for autorenaming the trojan with the current date.
- 19_09.exe – September 19
- 20_09.exe – September 20
Update
So after downloading the files, heres what I got…
Each TROJ_BAGLE.DA is already embedded in the WORM_BAGLE.DA 4 different worms also carries 4 different trojans.
MD5 Hash of files located below
Note: By different, what I mean is the hex view(different because of the UpolyX packer). The behavior of the four files are the same.
- Four (4) variations of WORM_BAGLE.DA (Undetected)
- Four (4) variations of TROJ_BAGLE.DA (3 Detected and 1 Undetected)
- One (1) TROJ_DLOADER.ACT (Undetected)
Each TROJ_BAGLE.DA is already embedded in the WORM_BAGLE.DA 4 different worms also carries 4 different trojans.
MD5 Hash of files located below
- 2B855271E01342FD7ED6E0A2A6042947 2.jpg – WORM_BAGLE.DA
- 33E8E59AA5773978E4E9AA1B0DB28A4E 20_09.exe – DETECTED AS TROJ_BAGLE.DA
- 07BE19293429F833C284A1D96448E8DE 2.jpg – WORM_BAGLE.DA
- AAD4A3C6E090E2687320F19E4F3F8034 19_09.exe – TROJ_BAGLE.DA
- 8F2CF4AAE13C4F8588E92B97D522CD1C 2.jpg – WORM_BAGLE.DA
- 555573598640743DDE5C2DF992E5CBE3 02.exe – DETECTED AS TROJ_BAGLE.DA
- 9E6F3B0BA3D101CED7A3B0861B69865E 2.jpg – WORM_BAGLE.DA
- 2E5E131E4D5A6500B94F68D1C11FFCC5 09.exe – DETECTED AS TROJ_BAGLE.DA
- 609883018B90A6F4D36641F4D7F482F3 osa6.gif – TROJ_DLOADER.ACT
Note: By different, what I mean is the hex view(different because of the UpolyX packer). The behavior of the four files are the same.