Friday, March 31, 2006 5:32 AM Don

New Bagle, new trick

As reported on the F-Secure Weblog - First things first: admins, block http access from your network to endoliteindia.com.

We saw a new Bagle run start tonight. As usual, it was started by posting a new, undetected downloader to one of the dozens of URLs the already-infected Bagle machines are constantly polling.

The difference this time is that every four minutes the link returns a different binary. Different size, different MD5. This is accomplished by repacking the same file with ASProtect again and again.
Filed under: