We have received numerous reports of new Bagle variants being spammed. They look typical for this family of worms ? empty message body with a ZIP file in the attachment.
Some names that have been used are:
MD5 sums of some variants are:
In the archive there is an executable which, when executed, copies itself to %sysdir%\hloader_exe.exe and drops another DLL header_dll.dll. It also creates an entry in the registry key HKLM/Software/Microsoft/Windows/CurrentVersion/Run named auto__hloader__key.
Thanks to Mike S, Sean K and others for submitting samples and information about these worms.
I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Prague August 2019
Nov 1st 2005
1 decade ago