We’re seeing a lot of recent activity related to an (unconfirmed) version of the 4 year old Bagle virus. The impact is the blacklisting of IP subnets — and it’s unpleasant to say the least.
Essentially users get infected with the Bagle virus and it collects personal favorites including FTP URLs, usernames and passwords. Spammers then run scripts which test the FTP connections and drop files like:
ftpchk3.php
ftpchk3.pl
which test functionality on the target website. Their bot then covers its tracks by deleting the files. Several days later, new files are uploaded to the site, which can include:
hot_video.exe
index1.php
index6.html
load.php
logs.txt
movie.gif
pindex.php
The file hot_video.exe contains the trojan horse Downloader.Tibs.9.V. As soon as the above mentionned files are uploaded to the FTP of the site, SPAM starts to go out using the host server’s domain name and referencing the URL to the files uploaded by FTP.
The end result is most likely the blacklisting of your entire IP class, not by the RBLs, but by internal corporate networks. A serious pain in the ass because there is no centralized location to verify and then delist your addresses like there is for RBLs.