New Trojan BagleDl-A (are we protected?)

Hi gents,

Here some more info:

Troj/BagleDl-A is a downloader Trojan. The Trojan attempts to download and execute a file named b.jpg from 131 separate websites.
The Trojan arrives as a ZIP file attached to an email. The ZIP file contains two files: foto.html or foto.htm and foto\foto1.exe or 1\calc.exe.
If the user opens the HTML document it will in turn run the executable.
The executable (foto1.exe or calc.exe) copies itself to the Windows system folder as doriot.exe and creates a file named gdqfw.exe, also in the Windows system folder.
Doriot.exe injects gdqfw.exe into the process space of explorer.exe. Gdqfw.exe then attempts to download b.jpg from 131 separate websites. If the download is successful the downloaded file is written to _re_file.exe or file.exe in the Windows folder and executed. The Trojan repeats the download attempt every 6 hours. At the time of writing the file was not available for download from any of the sites used by the Trojan.
Doriot.exe adds the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
wersds.exe
<Windows system folder>\doriot.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
wersds.exe
<Windows system folder>\doriot.exe

Gdqfw.exe terminates the following processes: ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
UPGRADER.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE


Are we protected yet??

rgds,
Martin

 

Hi Ron,

Yes, i know, but it would be nice to handle the same or somewhat recognisable name to know that we are protected.

cheers,
Martin

 

I get the picture Ron.

thanks,
Martin

 

I believe 1857 has it covered.
NOD32 - v.1.857 (20040901)
Virus signature database updates:
Win32/Agobot.NNM, Win32/Bagle.AJ.spm, Win32/Delf.NAM, Win32/Delf.QK, Win32/Protoride.Z, Win32/PSW.Legendmir.NBG, Win32/Rbot.XE, Win32/Rbot.XF, Win32/Rbot.XG, Win32/Rbot.XH, Win32/Rbot.XI, Win32/Rbot.XJ, Win32/Rbot.XK, Win32/TrojanDropper.Delf.EH, Win32/VB.KC, Win32/VB.NAC

 

Well, at least it has got the word "bagle" in it

cheers,
Martin

 

Symantec is calling it W32Beagle.AQ@mm the description sounds pretty similar to me at least.

http://www.sarc.com/avcenter/venc/data/w32.beagle.aq@mm.html

 

It seems NOD is a day behind $ymantec and Panda on this one.

 

Acutally it seems NOD was about ten hours behind most other AV makers, check this thread.

https://www.wilderssecurity.com/showthread.php?t=46410


NOD is behind Panda, Trend Micro, F-Secure, NAI( McAfee), Symantec and Sophos.

 

Actually, NOD is far before any other antivirus. Check nod homepage for the Bagle type infection : whith advanced heuristic, nod detect it WITHOUT the need of definition update. That's the poser of nod ! All other AV have far less good heuristic scanning.

The with nod you're really better protected.

Period.

 

Actually, NOD is far before any other antivirus. Check nod homepage for the Bagle type infection : whith advanced heuristic, nod detects it WITHOUT the need of definition update. That's the power of nod ! All other AV have far less good heuristic scanning.

Then with nod you're really better protected.

Period.

 

We are protected, NOD32 detect foto1.exe as Win32/TrojanDropper.Small.KV.

 

Don't run untrustworthy stuff that arrives via email.

There, you're protected.