Moves like a file cracker, stings like a … Bagle?

Today we received a sample with filename “open me.exe”. As much as I wanted to resist, I was persuaded to execute it (on our re-imageable machines, of course). The sample has got an innocuous-looking icon:


It pretends to be a file cracking utility, which in themselves could be illegal:


If a file is chosen to “crack”, a rather uninspiring bogus error message is displayed:


In reality the file’s main functionality is to run in the background and silently download files related to the Bagle family of worms, terminating a few anti-virus and security processes here and there. Nothing new here.

The Trojan sample, Themida-packed and quite large, is detected as Troj/BagleDl-CX.