Last week, a new variant of the Bagle-family - Bagle.AK was detected.

This variant was not replicating itself in the normal way, but tried to download a file (b.jpg) from a series of 131 URL’s and then execute that. (b.jpg in fact is an executable, despite the extension.)

At the time of discovery, none of the 131 URL’s (they are harcoded inside the body of the virus) was active or contained the b.jpg. Late last week, the first URL from the list actually contained a copy of b.jpg. After close examination, the code does not seem to be a replication at all.

After executing b.jpg, it will harvest all e-mail addresses and upload these to a website. So far the php-script on this site used to receive the e-mail addresses is not there, so whatever happens thereafter is unknown.

One of the reasons for harvesting these e-mail addresses can be found in the ongoing rumour that some viruses have been written on request of major spammers to get loads of legal e-mail addresses. And these rumors get more and more evidence all the time.

Righard J. Zwienenberg