From: Matthew Sullivan [mailto:matthew@sorbs.net] It's another varient of Bagle...

My analysis of it is at: http://www.au.sorbs.net/virus.explain.txt - since then Symantec has release it's more detailed explaination under the headings for Bagle.r and Bagle.s

This variant tries to exploit the object data vulnerability in IE that has long since been patched. You can also protect against this vulnerability, and any possible future variants, by locking down the My Computer zone. I detailed this in http://www.securityfocus.com/archive/1/346174/2003-11-30/2003-12-06/2 Those steps are also implemented as one of many fixes in Qwik-Fix ( www.qwik-fix.net ). The worm is dead now but managed to spread quite a bit before AV vendors had updated signatures. We have to start migrating away from reactive security and focus more on proactive security solutions. The Bizex worm was a good example of this, infecting 50.000 machines in 3 hours and disabling itself before any AV vendors had signatures for it. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor@pivx.com Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net>