There are new variants of Bagle circulating actively at the moment: Email-Worm.Win32.Bagle.ax and Email-Worm.Win32.Bagle.ay. When the worms search the victim machines for email addresses to send themselves to, they won't send emails to addresses containing the following text:
- @avp.
- @foo
- @iana
- @messagelab
- @microsoft
- abuse
- admin
- anyone@
- bsd
- bugs@
- cafee
- certific
- contract@
- feste
- free-av
|
- f-secur
- gold-certs@
- google
- help@
- icrosoft
- info@
- kasp
- linux
- listserv
- local
- news
- nobody@
- noone@
- noreply
- ntivi
|
- panda
- pgp
- postmaster@.
- rating@
- root@
- samples
- sopho
- spam
- support
- unix
- update
- winrar
- winzip
|
By doing this, the new Bagles are hiding from antivirus companies. This explains the relatively small number of samples that we've received so far.
Here's a sample of what a Bagle.ay message looks like:
Full description of the new Bagles will be available in the Virus Encyclopedia in the near future.
Update If the infected attachment has a .cpl extension, it will be detected as Email-Worm.Win32.Bagle.at.
