NEWS FROM THE LAB - Friday, October 29, 2004

We call it Bagle day Posted by Alexey @ 15:39 GMT

So let's sum it up what we have at the moment. There appeared 3 new Bagle variants today.

One of the variants was found on a website that was accessed by another Bagle variant. This is most likely a test variant because it gets e-mails from C:\EMAILS\ folder rather then from files on a hard disk (like ITW variants do). We have not seen any reports about this variant from the field. This variant was originally detected by us as W32/Bagle.AU@mm, but we are going to change detection name to W32/Bagle.AV@mm to avoid confusion with another widespread Bagle variant that appeared today (see below).

The second variant of Bagle that appeared today is Bagle.AT. This variant is number 1 in our Virus Statistics.

The third variant of Bagle appeared shortly after the second one and got the name Bagle.AU. This variant has the same functionality as Bagle.AT, but it uses a different CPL stub and it has a 2-byte corruption area in its text resources. This variant is currently number 12 in our Virus Statistics.

The interesting thing about the latest Bagle variants is that they modify themselves before spreading: they search for applications on a hard disk and "borrow" their icons. Then these icons are attached to Bagle's files together with some garbage data (used as a decoy) and then these files are mailed out. So you might see Bagle variants with quite interesting icons...