W32/Bagle.x!proxy

Discussion in 'malware problems & news' started by Marianna, Apr 7, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Date Discovered: 4/8/2004
    Date Added: 4/7/2004
    Origin: Unknown
    Length: 7,824 bytes (FSG packed)
    Type: Trojan
    SubType: Win32

    Virus Characteristics

    This detection is for a new variant of W32/Bagle. Unlike the majority of its predecessors, this variant does not mass-mail itself. It simply serves as a proxy trojan on the victim machine (akin to W32/Bagle.l!proxy ).

    When run on the victim machine, it installs itself as WINDOW.EXE in the Windows system directory:

    %SysDir%\WINDOW.EXE
    The following Registry key is added to hook system startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Run "window.exe" = %SysDir%\WINDOW.EXE
    A HTTP request is sent to one of a few servers to notify the hacker of its installation. The port number and id number are passed to a remote script. Users should block HTTP access to the following domains:

    http://(remove this)bohema.amillo.net
    http://(remove this)abc517.net
    http://(remove this)www.abc986.net
    A port is opened on the victim machine, and the malware serves as a mail relay.

    Various data (port, id, and process id number) is stored within the following Registry key, which is added:

    HKEY_CURRENT_USER\Software\Timeout
    This variant does not terminate the processes related to security products on the victim machine.



    Indications of Infection

    Unexpected port (TCP) open on the victim machine (eg. 14247)
    Existence of the files and Registry keys detailed above


    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101166
     
Loading...
Thread Status:
Not open for further replies.