RE: Hi (fwd)

From: Matthew Sullivan []
It's another varient of Bagle...

My analysis of it is at:
- since then Symantec has release it's more detailed explaination
under the headings for Bagle.r and Bagle.s

This variant tries to exploit the object data vulnerability in IE that
has long since been patched. You can also protect against this
vulnerability, and any possible future variants, by locking down the My
Computer zone. I detailed this in

Those steps are also implemented as one of many fixes in Qwik-Fix ( ).

The worm is dead now but managed to spread quite a bit before AV vendors
had updated signatures. We have to start migrating away from reactive
security and focus more on proactive security solutions. The Bizex worm
was a good example of this, infecting 50.000 machines in 3 hours and
disabling itself before any AV vendors had signatures for it.


Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of