Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: New Bagle variants SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Bagle variants

We have received numerous reports of new Bagle variants being spammed. They look typical for this family of worms ? empty message body with a ZIP file in the attachment.
Some of them don't have any subject and the sender name will be same as the recipient name with (sometimes) random domain appended.

Some names that have been used are:

MD5 sums of some variants are:

8275444ac2caac4b90bfd07d0b2b17be    t_535475.exe
18ae7a2fa4dbbf703c3ae157f224186a    text.exe

In the archive there is an executable which, when executed, copies itself to %sysdir%\hloader_exe.exe and drops another DLL header_dll.dll. It also creates an entry in the registry key HKLM/Software/Microsoft/Windows/CurrentVersion/Run named auto__hloader__key.

Thanks to Mike S, Sean K and others for submitting samples and information about these worms.

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Munich February 2022


400 Posts
ISC Handler
Nov 1st 2005

Sign Up for Free or Log In to start participating in the conversation!