<<<
Saturday, March 13, 2004
>>>
 
More on Bagle.N Posted by Mikko @ 22:30 GMT

This new Bagle has new features, and it seems to be spreading surprisingly fast for a new email worm to be found during a weekend.

Once again it sends itself in variable emails as PIF or EXE attachments.

Icon for the EXE resembles the icon for a Windows TrueType font:

Icon

This time the executable can be packed inside a ZIP or RAR archive, which can be encrypted with a password. Password can be shown as a BMP/GIF/JPG image, like this:

Password: Password

This is of course an attempt to make the work of gateway-based scanners harder (after we and many other vendors started detecting password-protected ZIP files sent by previous Bagles).

Interestingly, underneath the packing and encryption, there's an ASCII graphic picture...of a butterfly. Along with some texts we won't be repeating here.

Butterfly







<<< Bagle.N found in the wild
|
Bagle.O found >>>