<<<
Tuesday, March 9, 2004
>>>
 
More Bagle activity Posted by Mikko @ 13:00 GMT

Well, we didn't see a new Bagle variant for six days...but a new one was found today. This one is a minor variant repacked with ASPack. Many antivirus programs will detect it automatically, typically as Bagle.K.

Then we found something else. Something which resembles members of the Bagle family a lot, but which does not spread. So it's not a virus. It's apparently written by the same group though.

This thingie drops the Mitglieder proxy trojan, which has been used by spammers several times in the past. We're not sure how this new Bagle look-a-like is actually spreading, as it contains no replicating code. It might simply be spammed as email attachments - most likely from machines which were previously infected.

The Mitglieder trojan acts as an interesting link between the Bagle and Mydoom families. The first known version of this proxy trojan was used by Bagle.A in January 2004. Bagle.A downloaded it from a web site and installed it to infected computers

Around the same time, Mydoom.A was infecting machines around the world, leaving a small backdoor to each infected computer. Several days after the initial outbreak someone who knew how to operate the backdoor portscanned large parts of the internet address space and installed another version of the Mitglieder trojan to these machines - and started sending spam through them.

The fact that both Bagle and Mydoom families are utilizing the Mitglieder trojan might indicate that in fact it's a single group behind both of them. It might be different programmers, but the same organization.

The way these worms use Mitglieder is the next logical step from the way earlier spam-related worms such as Lovgate and Sobig used Wingate. Wingate proxy server is commercial network software, but many worms have used it in violation of its license agreement to install hidden proxy functionality. Some trojans such as Migmaf carried an embedded copy of it within itself.

In fact, I wouldn't be surprised if all of these worms would be connected to each other. The great Lovgate-Sobig-Bagle-Mydoom conspiracy!






<<< Virus War History
|
Several new Agobot backdoor variants found >>>