Moves like a file cracker, stings like a … Bagle?

Today we received a sample with filename “open me.exe”. As much as I wanted to resist, I was persuaded to execute it (on our re-imageable machines, of course). The sample has got an innocuous-looking icon:

It pretends to be a file cracking utility, which in themselves could be illegal:

If a file is chosen to “crack”, a rather uninspiring bogus error message is displayed:

In reality the file’s main functionality is to run in the background and silently download files related to the Bagle family of worms, terminating a few anti-virus and security processes here and there. Nothing new here.

The Trojan sample, Themida-packed and quite large, is detected as Troj/BagleDl-CX.

Posted on September 2nd, 2007 by SKM, SophosLabs UK
Filed under: General

Windows 7 security - A great leap forward or business as usual?

About SophosLabs

SophosLabs protects businesses from known and emerging malware - viruses, rootkits and spyware - and other computer threats like phishing, spam and scams. Learn more about the people who write this blog.

RSS feed

Hot video

International Kill-A-Zombie Day

SophosLabs blog