New series of Bagles being spammed

13 Sep 2005

minute read

Authors

Roel Schouwenberg

Over the course of the last 10 hours or so we’ve seen a number of new Bagle variants.

We’ve just released an urgent update for the fourth spammed Bagle. And just like before these Bagles don’t spread any further.

We have also detected a Bagle which does have email spreading functionality, it sends the spammed samples.

The spammed Bagles arrive in a zip archive as a .cpl file. Most likely with “price” in one of the filenames. The .cpl files are all 14340 bytes in size.

All four variants are equal to each other, the only difference is in the .cpl dropper.
The .cpl file functions as Trojan-Dropper to drop the actual Bagle executable.

The most interesting part of this Bagle case is that the Bagle executable does not work on Windows XP or 2000, it only seems to work on Windows 98.

Currently we can only speculate as to the author’s motives to create malware which will only function on Windows 98.

We detect the .cpl droppers and mailer as Email-Worm.Win32.Bagle.cs, Bagle.ct and Bagle.cu.
The dropped files are detected as Bagle.cs.

MD5 checksums for the spammed Bagles:

4fb426de872ee9b20c3312fae3adf018
a2920da32385932c71ad2e4ed5e3e74e
951053055f16d331a42475c209803430
37e84e6c22bfe936b48aea4ade395044

Authors

Roel Schouwenberg

New series of Bagles being spammed

Latest Posts

Latest Webinars

Reports

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

Kaspersky analysis of the CloudWizard APT framework used in a campaign in the region of the Russo-Ukrainian conflict.

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

We continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023, and our telemetry allowed us to shed light on the group. In this blog post, we’re excited to share what we now know of Tomiris with the broader community, and discuss further evidence of a possible connection to Turla.

New series of Bagles being spammed

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

ZeroLocker won’t come to your rescue

A Post-PC BlackHat?

Adobe Updates April 2014

Trust. Trust. Trust

Adobe’s First Patch Tuesday of 2014

QBot banker delivered through business correspondence

Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack

CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange

Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)

Two more malicious Python packages in the PyPI

Latest Posts

The nature of cyberincidents in 2022

New ransomware trends in 2023

Not quite an Easter egg: a new family of Trojan subscribers on Google Play

Managed Detection and Response in 2022

Latest Webinars

Ransomware trends in 2023

Cryptocurrency Threat Landscape Trends in 2023

Ransomware groups negotiation tactics: what you need to know

ChatGPT – good or evil? AI impact on cybersecurity

Reports

Meet the GoldenJackal APT group. Don’t expect any howls

CloudWizard APT: the bad magic story goes on

APT trends report Q1 2023

Tomiris called, they want their Turla malware back

Subscribe to our weekly e-mails