English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Virus Watch|More Bagles...

Roel
Kaspersky Lab Expert
Posted September 19, 18:42  GMT
Tags: Bagle
0
 

During the last six hours or so we've seen another flurry of Bagle variants.

The first variant of the day was detected as Email-Worm.Win32.Bagle.cx while we are up to Bagle.dc right now.
And an urgent update for Bagle.de is already on its way, talk about a busy day.

We have a moderate alert on Bagle.cy out and contrary to the spam run of almost a week ago, all these samples dó work on NT platforms.

Again the word "price" is popular with these Bagles, so keep a look out for it.

Comment      Link

Virus Watch|New series of Bagles being spammed

Roel
Kaspersky Lab Expert
Posted September 12, 22:15  GMT
Tags: Bagle
0
 

Over the course of the last 10 hours or so we've seen a number of new Bagle variants.

We've just released an urgent update for the fourth spammed Bagle. And just like before these Bagles don't spread any further.

We have also detected a Bagle which does have email spreading functionality, it sends the spammed samples.

The spammed Bagles arrive in a zip archive as a .cpl file. Most likely with "price" in one of the filenames. The .cpl files are all 14340 bytes in size.

All four variants are equal to each other, the only difference is in the .cpl dropper.
The .cpl file functions as Trojan-Dropper to drop the actual Bagle executable.

The most interesting part of this Bagle case is that the Bagle executable does not work on Windows XP or 2000, it only seems to work on Windows 98.

Currently we can only speculate as to the author's motives to create malware which will only function on Windows 98.

We detect the .cpl droppers and mailer as Email-Worm.Win32.Bagle.cs, Bagle.ct and Bagle.cu.
The dropped files are detected as Bagle.cs.

MD5 checksums for the spammed Bagles:

4fb426de872ee9b20c3312fae3adf018
a2920da32385932c71ad2e4ed5e3e74e
951053055f16d331a42475c209803430
37e84e6c22bfe936b48aea4ade395044

Comment      Link

Virus Watch|Monikey or: the continuing evolution of Bagle

Yury
Kaspersky Lab Expert
Posted August 17, 14:04  GMT
Tags: Bagle, LdPinch
0
 

We've recently detected a third modification of Email-Worm.Win32.Monikey. It might seem that there's nothing interesting about it - it spreads as an email with the subject heading «Îòêðûòêà ñ POSTCARD.RU» [A Card from POSTCARD.RU]. The body of the message contains what seems to be a link to POSTCARD.RU, but it's actually a link to a compromised site - if the user visits this site, malicious programs will be downloaded onto his/her computer.

In itself, this isn't very interesting. But our interest was piqued by the fact that Monikey incorporates modifications of Trojan-PSW.Win32.Vipgsm and Trojan-PSW.Win32.LdPinch.

Why is this interesting? Well, it's yet more confirmation of our suspicions that LdPinch, Bagle, Monikey and Vipgsm are created by one and the same group of virus writers. (We wrote earlier about LdPinch and Bagle being written by the same group.) Until now, we weren't sure that Monikey and Vipgsm were created by the same people - it was just a suspicion. Monikey contains code which is almost identical to some of Bagle's code, but until now we thought that Monikey was simply based on Bagle's source code, which is probably out there somewhere on the Internet.

The fact that nearly all the embedded malicious programs are encrypted using Trojan-PSW.Win32.LdPinch's “proprietary” algorithm seems to confirm our theory. And it's noteworthy that the latest version of Monikey appeared at the same time that the Bagle authors returned to 'work' after their summer vacations.

All of the above reinforces our suspicions that it's the same people behind a number of families of malicious programs. It also confirms our prediction that the authors of Bagle would start using new approaches and technologies.

All the malicious programs have been deleted from the compromised sites, and a lot of sites have published information and apologies, stating that they did not initiate any mass mailing. However, it's still not clear how these sites were accessed - this might have been done using passwords which were stolen using a program similar to LdPinch.

All these malicious programs have been added to Kaspersky Anti-Virus database updates.

Comment      Link

Virus Watch|And the Bagles just keep on coming

Yury
Kaspersky Lab Expert
Posted August 12, 10:42  GMT
Tags: Bagle
0
 

A quick update: over the last twenty four hours, we had eleven new Bagle variants, from Bagle.bz to Bagle.cj. Some of them were new versions, and some were old variants which had been repacked.

All the new versions were either spammed, or placed on sites for download. They're being used to ensure that the Bagle botnet survives.

A very old Bagle variant was also spammed; it had been repacked using a new version of the packing program.

The Bagle bakery is clearly still in business, but hasn't come up with any new recipes for a while.

Comment      Link

Virus Watch|Bagle's author back at work

Yury
Kaspersky Lab Expert
Posted August 11, 13:02  GMT
Tags: Bagle
0
 

It looks as though the Bagle author is back from his vacation. Today we've detected several new variants (actually old variants which have been repacked) and they are still coming in.

New malware has been placed on the sites listed in the worms' bodies, so it maybe that we will see some of these Bagles updating themselves automatically. We'll keep you posted.

Comment      Link

Virus Watch|More Bagle trouble

Costin Raiu
Kaspersky Lab Expert
Posted May 31, 19:18  GMT
Tags: Bagle
0
 

During the past hours, we've intercepted a flurry of new Bagle variants; apparently, it's been a busy day for the author, who keeps sending them out.

Additionally, one of the URLs which all these variants monitor for updates has come online, with yet another (yes, you've guessed) Bagle variant - Bagle.bp.

So far the situation appears under control - the speed of reaction from antivirus companies in this case was outstanding. Except for the initial seeding waves, there is no sign of an outbreak. Stay tuned for more details.

Comment      Link

Virus Watch|Fresh Bagles ahead

Costin Raiu
Kaspersky Lab Expert
Posted May 31, 15:37  GMT
Tags: Bagle
0
 

Two new Bagle variants have been spotted today. Both are 36352 bytes in size and are very similar in operation. Actually, the second one looks like a repack of the first variant in order to avoid detection. Both work through a downloader component, which connects to a set of websites and attempts to fetch a file. Just as it usually happens with Sober, the author may choose to upload a trojan with unexepected effects at the "update" URLs. We are currently monitoring them for any changes.

Below you can find the MD5's for these two new variants:

(Email-Worm.Win32.Bagle.bo)

f4271a7bd37b7502ecab0ec2964d87c6 - first sample
71379e8529c54c80ead31f5499e3406b - second sample

We released detection for the most recent version at 18:59.

[update] A description for Bagle.bo is now available in the Virus Encyclopedia.

Comment      Link

Virus Watch|More Bagle malware is appearing

Roel
Kaspersky Lab Expert
Posted April 16, 16:14  GMT
Tags: Bagle
0
 

The Bagle author keeps sending out new malware. Earlier today we saw a new Trojan-Proxy.Win32.Mitglieder variant, which is closely related to Bagle.

Now we have detected another Trojan-Proxy.Win32.Mitglieder variant, next to a new Bagle Worm. We have just released updates for them.

It's likely that there are more variants to come, so update your virusbases and be careful.

Comment      Link

Virus Watch|Another night, another Bagle

Roel
Kaspersky Lab Expert
Posted April 15, 21:27  GMT
Tags: Bagle
0
 

Last night we detected one new Bagle variant, this variant only had downloading capabilities and no massmailing functionality. (Except for the Trojan-Proxy functionality that is).

All download locations encoded in the Bagle's body were dead, but are currently acitve and the author has put malware online.

This new malware is a Trojan-Downloader, we detect it as Trojan-Downloader.Win32.Small.asb.

Trojan-Downloader.Win32.Small.asb then downloads a new version of Email-Worm.Win32.Bagle.pac which has mass-mailing functionality. However, the samples which this worm spreads only have Trojan-Downloader functionality and no mass-mailing capabilities.

So basically it's the same story as we had before with Email-Worm.Win32.Bagle.pac so far.

We're monitoring the situation. Let's just hope we won't see as many variants in one day as last time.

Comment      Link

Virus Watch|Bagle targeting banks

Yury
Kaspersky Lab Expert
Posted March 29, 10:18  GMT
Tags: Bagle, Internet Banking, Targeted Attacks
0
 

The latest variants of Bagle that we've detected over the past five days show that the virus writer behind this worm is shifting focus to on-line banks and payment systems. Some links that previously contained a range of spam tools now contain variants of Trojan-Spy.Win32.Banker.

It's worrying that the author isn't targeting specific on-line payment systems, as most malicious code writers do, but several hundred on-line banking systems. Systems around the world are at risk, including ones in Japan, the UK, and the USA.

As usual, we promptly issued antivirus updates to protect against the latest versions of Trojan-Spy.Win32.Banker.

Comment      Link