We received this Bagle variant on September 1st, 2004. This worm
sends out an archive named FOTOS.ZIP that contains a FOTO.HTM
file and a hidden file named CALC.EXE which is located into a
hidden subfolder named '1'. The CALC.EXE file is a dropper for
the downloader named Glieder.I that downloads Bagle.AO file from
one of the websites. For more information about Glieder.I dropper
and downloader please check the following link:
http://www.f-secure.com/v-descs/gliederi.shtml
This Bagle variant is very close to the previous one, Bagle.AN.
You can see the description of Bagle.AN worm variant here:
http://www.f-secure.com/v-descs/bagle_an.shtml
This worm variant sends out a bit different ZIP archive in
e-mails. The ZIP archive contains an HTML file named FOTO.HTM and
the Glieder.I trojan dropper named CALC.EXE, which is located in
a subfolder named '1' in the same archive. Both the executable
file and the subfolder have hidden attributes. The HTML file uses
an exploit to activate the dropper. The Glieder.I dropper drops
another component, which is a downloader for Bagle.AO worm's
file. The worm's file was put by its author as B.JPG to several
websites.
F-Secure Anti-Virus detects Bagle.AO starting from the following
update:
[FSAV_Database_Version]
Version=2004-09-01_04
Description:
Alexey Podrezov, September 1st, 2004;
F-Secure Corporation
