p2pnet.net News:- If you’re an e-worm watcher, you might be coming across Bagle variants with “quite interesting icons”.

That’s the view of F-Secure’s Alexey who says on the site blog that three new Bagle variations have already turned up today.

“One of the variants was found on a website that was accessed by another Bagle variant,” says the post. “This is most likely a test variant because it gets e-mails from C:EMAILS folder rather then from files on a hard disk (like ITW variants do). We have not seen any reports about this variant from the field. This variant was originally detected by us as W32/Bagle.AU@mm, but we are going to change detection name to W32/Bagle.AV@mm to avoid confusion with another widespread Bagle variant that appeared today (see below).

“The second variant of Bagle that appeared today is Bagle.AT. This variant is number 1 in our Virus Statistics.

“The third variant of Bagle appeared shortly after the second one and got the name Bagle.AU. This variant has the same functionality as Bagle.AT, but it uses a different CPL stub and it has a 2-byte corruption area in its text resources. This variant is currently number 12 in our Virus Statistics.”

But the most interesting aspect of these new Bagle variants is: they modify themselves before spreading, says Alexey.

“They search for applications on a hard disk and ‘borrow’ their icons. Then these icons are attached to Bagle’s files together with some garbage data (used as a decoy) and then these files are mailed out.”

=================

See:-
Alexey – We call it Bagle day, F-Secure, October 29, 2004

This entry was posted on Friday, October 29th, 2004 at 4:57 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 1726 times