According to my Finnish friends, F-Secure, Bagle looks like it might be back in business. Not that it has ever really gone away of course, as it is one of the most prevalent of worm families.
F-Secure have noticed new activity during the last couple of days, which sees a number of old Bagle update URLs activated again. This time they are making a new executable available, which can be downloaded and executed by those machines already infected by previous variant. Of course, one thing never really changes and that is the payload, so expect to see spams containing infected attachments, this time with filenames that refer to price lists as an inducement to open them. Handily, the spam also comes complete with an image that illustrates the password required to decode the attached Zip archives.
What has changed is that Bagle.GO, as F-Secure has christened it, will use an SSDT rootkit in order to hide the fact that it has installed upon an infected system. As well as ensuring your AV system is up to date with signature files, you might want to keep an eye on firewall logs for any access to either www.bronko-m.ru or bpsbillboards.com which are used by Bagle.GO
The worrying thing is that given the number of unpatched systems out there, and given the number of Bagel variants, and given the number of machines therefore infected with it the coming of another Bagel driven spam wave is, well, a given…