Discussion in 'malware problems & news' started by Marianna, Apr 7, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Apr 23, 2002
    B.C. Canada
    Date Discovered: 4/8/2004
    Date Added: 4/7/2004
    Origin: Unknown
    Length: 7,824 bytes (FSG packed)
    Type: Trojan
    SubType: Win32

    Virus Characteristics

    This detection is for a new variant of W32/Bagle. Unlike the majority of its predecessors, this variant does not mass-mail itself. It simply serves as a proxy trojan on the victim machine (akin to W32/Bagle.l!proxy ).

    When run on the victim machine, it installs itself as WINDOW.EXE in the Windows system directory:

    The following Registry key is added to hook system startup:

    \Run "window.exe" = %SysDir%\WINDOW.EXE
    A HTTP request is sent to one of a few servers to notify the hacker of its installation. The port number and id number are passed to a remote script. Users should block HTTP access to the following domains:

    http://(remove this)bohema.amillo.net
    http://(remove this)abc517.net
    http://(remove this)www.abc986.net
    A port is opened on the victim machine, and the malware serves as a mail relay.

    Various data (port, id, and process id number) is stored within the following Registry key, which is added:

    This variant does not terminate the processes related to security products on the victim machine.

    Indications of Infection

    Unexpected port (TCP) open on the victim machine (eg. 14247)
    Existence of the files and Registry keys detailed above

Thread Status:
Not open for further replies.