A new Bagle dropper and downloader, Bagle-AQ, was bulk mailed to numerous internet users yesterday. The malware arrives in email with subject and email body "foto" and attachment called foto.zip that poses as a file containing photographs.
This zip file contains a HTML file and an executable called foto1.exe. The executable is a dropper. If activated it will kill DLL files related to the updating components of various anti-virus programs. It also attempts download an updated payload every six hours from one of more than 130 separate websites. This payload contains a mass-mailing worm that uses its own SMTP engine to spread. It also opens backdoors on TCP port 80 and UDP port 80, allowing infected computers to be used as email relays. Only Windows machines are affected.
The mode of infection of Bagle-AQ (Trojan downloader) shares more in common with the Download.Ject worm than with previous variants of the Bagle worm. AV firms have confusingly taken to calling it a variety of names from Glieder-H to the BagleDl-A Trojan. Each refers to the same piece of malware. ®