In a difficult world
In a nameless time
I want to survive
So, you will be mine!!
— Bagle Author, 29.04.04, Germany.
The above lines are found in the binary of new bagle variant that we have just received. If the last variant of bagle that we have received was packed using UPolyX, it now uses MoleBox 2.x.x by Mole Studio. The packer has no polymorphic behavior unlike UPolyX.
It arrives as an attachment of an email having the name, phishing_screenshot.exe and has a file size of 26, 112 bytes. Please see below for AV detections.
Detection (as of 2006-02-09 21:09:59)
| Trend Micro: | PAK_Generic.001 |
The sample has been submitted to the service team for detailed analysis.
Update(Jessie, 09 February 2006 22:17:29)
We have just received a sample email that seems to be the start of it all. See below for the sample email being spammed with the copy of the worm attached.
This email sample has no connection with the email samples that can be found in the worm’s binary. This must have been the initial seeding of the first copies of worm.
The sample has been given the detection name WORM_BAGLE.EN.
Update(Jessie, 09 February 2006 22:33:47)
Possible Message Bodies of the Worm
Message 1
Dear Sir or Madam,
This notification is just a friendly reminder (not a bill or a second charge) that on 15-JAN-06, you placed an order from Symantec Store. This order was paid using your Visa, whose last 4 digits are ************2346, and will be appearing on your billing statement shortly. The charge will appear as DR *Symantec. This is just a reminder to help you recognize the charge. You will not be charged again.
You antivirus definition file is attached to this email, please install it to be perfectly protected from the latest viruses and other internet threats.
Message 2
******************************************************************
Details about your reciept attached with this email. You have to use Adobe Acrobat Reader to open it.
Transaction Number: {random number}
This is your receipt for your $1490 purchase of a 1.0 months
subscription which will appear on your statement as {random number}-{random number}-{random number}.
Your membership will automatically renew per the terms and conditions.
Should you ever have any
problems whatsoever, please don’t hesitate to contact our live technical support staff – available 24 hours a day 7 days a week. We can be reached by phone toll free in the US at 800-534-8593. Rather use email?
Drop us a line at bill@gmail.com and we’ll always get back to you within an hour.
Enjoy the service!
Support
******************************************************************
Message 3
Your email {random text} has exceeded its
bandwidth quota in the period beginning on 2006-01-01.
Your quota is set to 10485760 bytes (10.0 MB), and
your email has consumed 559189702 bytes (533.285 MB) beyond that quota.
Our over-bandwidth charges are
Additional Bandwidth/Month Monthly Cost
100 Mb $200.00
200 MB $360.00
300 MB $480.00
400 MB $624.00
500 Mb $740.00 <- your over-usage
600 Mb $850.00
Our automatically generated bill is attached with this email.
Sincerely,
Sales Manager.