This Bagle-related downloader appeared on November 1st, 2005. The
dropper for the downloader DLL was spammed in e-mails to a large
amount of people as TEXT.EXE. This dropper and downloader are
quite similar to the variant that appeared earlier:
http://www.f-secure.com/v-descs/bagle_ee.shtml
When the dropper is run, it copies itself as HLOADER_EXE.EXE file
to Windows System folder and creates a startup key for this file
in the Registry. Then the dropper extracts a DLL file named
HLEADER_DLL.DLL to the same folder and injects it into Explorer
process. The DLL file is the downloader that tries to download a
file from several different sites and to activate it.
F-Secure Anti-Virus detects this malware starting from the
following update:
[FSAV_Database_Version]
Version=2005-11-02_01
Writeup:
Alexey Podrezov, November 2nd, 2005;
F-Secure Corporation
