Bagle has just made a come back. We have just received a spammed email of this new Bagle variant.
The email details used for social engineering are new but the other behaviors are basically the same.
This new variant is packed with Upolyx. Some sample emails below
We will continue to monitor for new samples and will update this blog for the malware name later
Update(Jovs, 03 February 2006 01:21:06)
The samples we are receiving continue to change MD5 due to the garbage bytes added at the end of the spammed file.
Update(Jovs, 03 February 2006 01:28:40)
Forgot to mention this earlier…
We are also monitoring the download urls for this bagle variant.
Here are the other possible attachments.
- guupd02.zip
- zupd02.zip
- viupd02.zip
Update(Zobel, 03 February 2006 02:22:31)
This will be detected as WORM_BAGLE.CL.
Update(Zobel, 03 February 2006 02:45:41)
There are new bagles that came and are still being verified if they are repacked samples of WORM_BAGLE.CL. Below are some details:
Possible Attachments- new_price.zip
- price.zip
- 21_price.zip
- pricelst.zip
- February_price.zip
- price
Update(Jovs, 03 February 2006 06:55:06)
An interesting fact with this new Bagle variant.
The zip archive that it attaches to emails contains two files. One is the copy of the worm and one is a text file containing garbage values.
Just a speculation on the author’s intention with this…
It seems the author was not satisfied by just adding garbage bytes to the end of the file to change the md5 of each attachment. He actually added another text file containing garbage characters to the zip file so that the zip file itself would be very different from one another.