MoMusings

It is about time that Beagle [the malware mutt] aka Bagle was either house trained or even better put in Doggy Prison!

Yet again I woke up to more Beagle deposits, ranging from droppers to full new variants of this fecund family of malware. Details below on what we know of the various new ones out there so far today:

The first one arrived via e-mail and the intended victim was suspicious and sent it on to me for analysis:

Details:
FileName: new_price.zip
FileDateTime: 01/03/2005 05:54:37
Filesize: 15876
MD5: 82859cc5b9e34ede58692d9fb2c84a63
CRC32: AB5D0DD
File Type: ZIP Archive File

Contains:-
FileName: prs_03.exe
FileDateTime: 01/03/2005 13:30:14
Filesize: 34304
MD5: f0851f7b19c9f5e880d2ad03acc48cb3
CRC32: 97C02F70
File Type: PE Executable

Scanner Results:
Kaspersky:-Email-Worm.Win32.Bagle.bc
McAfee:-W32/Bagle.dldr
F-Prot:-W32/Bagle.BL
BitDefender:-Trojan.Bagle.BE
ClamAV:-Trojan.Small-57-3
ESET:-Win32/Bagle.BA worm

Yes, out of the 14 [up-to-date] scanners I have at hand only the above detected anything suspicious, this means that TREND and Symantec miss it completely with their latest definitions [at the time of testing].

There are currently 5 new variants in-the-wild and spreading, however it seems that several of them are trojans not worms. These trojan variants are being spammed out to hundreds of thousands of e-mail addresses at a time. The trojan variants may be classified under another name, such as Trojan.Tooso [Symantec] or a hybrid name such as Troj_Bagle [TREND] instead.

Interestingly the trojan variants [is this a Trojan Dog rather than Horse? ] seem to modify the HOSTS file filling them up with lots of AV and security vendor site and setting them up as 127.0.0.1 [localhost] so that any attempt to go to those sites will fail. It also tries to download a Jpeg [graphic] file from one of the many listed in the trojans code. At this time we are not sure if this is using one of the recent Microsoft JPEG vulnerabilities to execute an infected jpeg file or it is just using a jpg extension to bypass web filtering.

I’ll post more data when I have it.

Oh dear, looks like there are more new variants out there, as I’ve just been informed of another new one that has been found since I originally posted.

This just in from the F-Secure Research weblog:

“These new Bagle variants are using a client / server architecture to spread further. What? A Client / Server virus? Yup.”

“Normally Bagle variants search the local hard drive to find email addresses to send itself to. These new variants connect to a web back-end. The back-end server will then return 50 unique email addresses that it generates using directory harvest techniques. The virus will then send a copy of itself to these addresses and loop over.”

And it apears that there could be 8 new variants out there, 4 droppers and 4 worms!