Two new Bagle variants have been spotted today. Both are 36352 bytes in size and are very similar in operation. Actually, the second one looks like a repack of the first variant in order to avoid detection. Both work through a downloader component, which connects to a set of websites and attempts to fetch a file. Just as it usually happens with Sober, the author may choose to upload a trojan with unexepected effects at the “update” URLs. We are currently monitoring them for any changes.
Below you can find the MD5’s for these two new variants:
f4271a7bd37b7502ecab0ec2964d87c6 – first sample
71379e8529c54c80ead31f5499e3406b – second sample
We released detection for the most recent version at 18:59.