New Bagle, new trick

First things first: admins, block http access from your network to We saw a new Bagle run start tonight. As usual, it was started by posting a new, undetected downloader to one of the dozens of URLs the already-infected Bagle machines are constantly polling.

The difference this time is that every four minutes the link returns a different binary. Different size, different MD5. This is accomplished by repacking the same file with ASProtect again and again. F-Secure : News from the Lab

Linked by shanmuga Friday, 31st March 2006 12:17AM