Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    Today, our honeypot intercepted a bagle sample to be detected as WORM_BAGLE.IN. As with the previous bagle variants, the new sample have several download URLs seen from its code and are already being monitored.

    Yeah, same old bagle but something is unusual with the executable file. Using a tool called “hiew”, we can investigate the properties of the file. As seen in the following image the file is packed.

    The tool said it has an “Entry Point” of 0×00000000; also another tool called PeiD flagged the file as a DLL (0 entry point).



    However, the sample does execute whilst having a 0-entry point. After further investigation, the sample has an entry point found at the “MZ” header shown in the following image.

    As we can see, there is a “push 00042a0a9″ then followed by a “retn” instruction. The address, 00042a0a9, is the actual code entry point of the sample. So using OllyDbg, we can load the file and go to the entry point.

    Oh, before I forget, here’s a snapshot of the email sample.

    Sample properties:

    MD5 :6ACFAFCE6ED1CF956CEC6AB1E5265D0E
    File Size:40,961 bytes





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice