<<<
Tuesday, March 1, 2005
>>>
 
Bagle / Mitglieder case Posted by Mikko @ 04:05 GMT

We're getting several reports of a new thingy, typically seen as an email attachment named doc_01.exe. We first thought it's a new Bagle variant...but apparently this thing doesn't send itself further via email so it's not a virus.
Regedit
When run, it drops files like winshost.exe and wiwshost.exe and tries to download an executable named "zo2.jpg" from dozens of different download sites. As usual, most of these download sites don't contain such a file now, but at a later date they will contain different spam proxies or backdoors.

We detect this one right now as Email-Worm.Win32.Bagle.bb, but it will be later categorized as something else.

This thing also modifies various registry keys related to Windows BITS technology. This is the "Background Intelligent Transfer Services" used by Windows Update. We'll dig in to figure out what is it attempting to do.






<<< Case Send-Safe
|
Clearing up the Bagle mess >>>