New Bagle "AI" Trojan/Downloader - MEDIUM RISK (Secunia)
This new variant is a trojan that downloads and executes arbitrary files from a long hardcoded list of 131 URLs. In the wild, we have seen other variants of this trojan download Win32.Bagle variants and other files. It has been distributed as a 12,800-byte Win32 executable. This variant has been mass-mailed on a large scale by what appears to be Win32.Bagle.AI.
The origin was an e-mail message that was spammed to numerous people. The e-mail contains an archive named FOTO.ZIP. Inside there's an HTML file and an EXE file named FOTO.EXE. This EXE file is a dropper. It drops and activates a DLL component that kills processes belonging to updating components of several anti-virus programs and then tries to connect to several websites and download a file from them. The URLs are hardcoded in the program's body.
EMAIL MESSAGE FORMAT
Attachment: foto.zip or foto1.zip ( containing foto.html and foto1.exe)