Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: New Bagle variants - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Bagle variants

We have received numerous reports of new Bagle variants being spammed. They look typical for this family of worms ? empty message body with a ZIP file in the attachment.
Some of them don't have any subject and the sender name will be same as the recipient name with (sometimes) random domain appended.

Some names that have been used are:

Max.zip
Business_dealing.zip
Text_sms.zip
Health_and_Knowledge.zip
The_new_prices.zip
Info_prices.zip

MD5 sums of some variants are:

8275444ac2caac4b90bfd07d0b2b17be    t_535475.exe
18ae7a2fa4dbbf703c3ae157f224186a    text.exe

In the archive there is an executable which, when executed, copies itself to %sysdir%\hloader_exe.exe and drops another DLL header_dll.dll. It also creates an entry in the registry key HKLM/Software/Microsoft/Windows/CurrentVersion/Run named auto__hloader__key.

Thanks to Mike S, Sean K and others for submitting samples and information about these worms.


I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Munich July 2019

Bojan

379 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!