First things first: admins, block http access from your network to endoliteindia.com.
We saw a new Bagle run start tonight. As usual, it was started by posting a new, undetected downloader to one of the dozens of URLs the already-infected Bagle machines are constantly polling.
The difference this time is that every four minutes the link returns a different binary. Different size, different MD5. This is accomplished by repacking the same file with ASProtect again and again.
We are now detecting these as "W32/Bagle.GI". However, the contents keep changing.
To make a long story short: block access to this download site. It's at endoliteindia.com - a hacked web server in India. Abuse messages to the site and the upstream ISP have been sent.
Updated to add: At around 19:45 GMT, the download link died. Now it just returns 403 Forbidden, which is great. We never got replies to our abuse reports, but perhaps somebody took action. Or perhaps the Bagle gang did this themselves.
