New Trojan BagleDl-A (are we protected?)

Discussion in 'ESET NOD32 v3 Beta Forum' started by martindijk, Sep 1, 2004.

Thread Status:
Not open for further replies.
  1. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Hi gents,

    Here some more info:

    Troj/BagleDl-A is a downloader Trojan. The Trojan attempts to download and execute a file named b.jpg from 131 separate websites.
    The Trojan arrives as a ZIP file attached to an email. The ZIP file contains two files: foto.html or foto.htm and foto\foto1.exe or 1\calc.exe.
    If the user opens the HTML document it will in turn run the executable.
    The executable (foto1.exe or calc.exe) copies itself to the Windows system folder as doriot.exe and creates a file named gdqfw.exe, also in the Windows system folder.
    Doriot.exe injects gdqfw.exe into the process space of explorer.exe. Gdqfw.exe then attempts to download b.jpg from 131 separate websites. If the download is successful the downloaded file is written to _re_file.exe or file.exe in the Windows folder and executed. The Trojan repeats the download attempt every 6 hours. At the time of writing the file was not available for download from any of the sites used by the Trojan.
    Doriot.exe adds the following registry entries:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    wersds.exe
    <Windows system folder>\doriot.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    wersds.exe
    <Windows system folder>\doriot.exe

    Gdqfw.exe terminates the following processes: ATUPDATER.EXE
    AUPDATE.EXE
    AUTOTRACE.EXE
    AUTOUPDATE.EXE
    FIREWALL.EXE
    ATUPDATER.EXE
    LUALL.EXE
    DRWEBUPW.EXE
    AUTODOWN.EXE
    NUPGRADE.EXE
    OUTPOST.EXE
    ICSSUPPNT.EXE
    ICSUPP95.EXE
    ESCANH95.EXE
    AVXQUAR.EXE
    ESCANHNT.EXE
    UPGRADER.EXE
    AVXQUAR.EXE
    AVWUPD32.EXE
    AVPUPD.EXE
    CFIAUDIT.EXE
    UPDATE.EXE
    NUPGRADE.EXE
    MCUPDATE.EXE


    Are we protected yet?? :rolleyes:

    rgds,
    Martin
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    Depends on what name Eset uses but I would say yes. Three updates in less than twentyfour hours.

    NOD32 - v.1.856 (20040901)
    Virus signature database updates:
    Win32/Bugbear.J, Win32/StartPage.NK, Win32/TrojanDownloader.Agent.CO

    NOD32 - v.1.855 (20040901)
    Virus signature database updates:
    HTML/Exploit.Mht, Win32/Dialer.RAS.D, Win32/Dialer.RAS.G, Win32/Rbot.XD, Win32/Small.AF, Win32/TrojanDownloader.Agent.CJ2, Win32/TrojanDownloader.Small.UL, Win32/TrojanDropper.Small.NAQ

    NOD32 - v.1.854 (20040901)
    Virus signature database updates:
    IRC/SdBot.BWS, IRC/SdBot.BWT, IRC/SdBot.BWU, IRC/SdBot.BWV, IRC/SdBot.BWW, IRC/SdBot.BWX, IRC/SdBot.BWY, IRC/SdBot.BWZ, IRC/SdBot.BXA, IRC/SdBot.BXB, IRC/SdBot.BXC, IRC/SdBot.BXD, IRC/SdBot.BXE, IRC/SdBot.BXF, Win32/Agent.NAB, Win32/Banito.L, Win32/Brabot.B, Win32/Dialer.EF, Win32/Prorat.19, Win32/PSW.Legendmir.TU, Win32/PSW.QQShou.G, Win32/Rbot.WW, Win32/Rbot.WZ, Win32/Rbot.XA, Win32/Rbot.XB, Win32/Rbot.XC, Win32/Spy.Banker.CN, Win32/Spy.Banker.CV, Win32/Spy.Banker.NAO, Win32/Spy.Banker.NAP, Win32/TrojanDownloader.Agent.CJ1, Win32/TrojanDownloader.PurityScan.J, Win32/TrojanDownloader.Small.TA, Win32/TrojanDownloader.Small.UG, Win32/TrojanDropper.Small.KV, Win32/TrojanDropper.Small.NAP, Win32/VB.HP
     
  3. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Hi Ron,

    Yes, i know, but it would be nice to handle the same or somewhat recognisable name to know that we are protected.

    cheers,
    Martin
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
  5. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    I get the picture Ron.

    thanks,
    Martin
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    Martin,

    Didn't mean to offend you. You probably knew all this already.

    Maybe others didn't.

    It would be nice if they could get the naming down to eliminate us wondering everytime there is an outbreak.

    Ron :)
     
  7. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    I believe 1857 has it covered.
    NOD32 - v.1.857 (20040901)
    Virus signature database updates:
    Win32/Agobot.NNM, Win32/Bagle.AJ.spm, Win32/Delf.NAM, Win32/Delf.QK, Win32/Protoride.Z, Win32/PSW.Legendmir.NBG, Win32/Rbot.XE, Win32/Rbot.XF, Win32/Rbot.XG, Win32/Rbot.XH, Win32/Rbot.XI, Win32/Rbot.XJ, Win32/Rbot.XK, Win32/TrojanDropper.Delf.EH, Win32/VB.KC, Win32/VB.NAC
     
  8. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Well, at least it has got the word "bagle" in it :D

    cheers,
    Martin
     
  9. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
  10. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    It seems NOD is a day behind $ymantec and Panda on this one.
     
  11. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
  12. Shaman

    Shaman Guest

    Actually, NOD is far before any other antivirus. Check nod homepage for the Bagle type infection : whith advanced heuristic, nod detect it WITHOUT the need of definition update. That's the poser of nod ! All other AV have far less good heuristic scanning.

    The with nod you're really better protected.

    Period.
     
  13. Shaman

    Shaman Guest

    Actually, NOD is far before any other antivirus. Check nod homepage for the Bagle type infection : whith advanced heuristic, nod detects it WITHOUT the need of definition update. That's the power of nod ! All other AV have far less good heuristic scanning.

    Then with nod you're really better protected.

    Period.
     
  14. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    We are protected, NOD32 detect foto1.exe as Win32/TrojanDropper.Small.KV.
     
  15. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Don't run untrustworthy stuff that arrives via email.

    There, you're protected. :)
     
Thread Status:
Not open for further replies.