W32/Bagle.x!proxy

Date Discovered: 4/8/2004
Date Added: 4/7/2004
Origin: Unknown
Length: 7,824 bytes (FSG packed)
Type: Trojan
SubType: Win32

Virus Characteristics

This detection is for a new variant of W32/Bagle. Unlike the majority of its predecessors, this variant does not mass-mail itself. It simply serves as a proxy trojan on the victim machine (akin to W32/Bagle.l!proxy ).

When run on the victim machine, it installs itself as WINDOW.EXE in the Windows system directory:

%SysDir%\WINDOW.EXE
The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "window.exe" = %SysDir%\WINDOW.EXE
A HTTP request is sent to one of a few servers to notify the hacker of its installation. The port number and id number are passed to a remote script. Users should block HTTP access to the following domains:

http://(remove this)bohema.amillo.net
http://(remove this)abc517.net
http://(remove this)www.abc986.net
A port is opened on the victim machine, and the malware serves as a mail relay.

Various data (port, id, and process id number) is stored within the following Registry key, which is added:

HKEY_CURRENT_USER\Software\Timeout
This variant does not terminate the processes related to security products on the victim machine.



Indications of Infection

Unexpected port (TCP) open on the victim machine (eg. 14247)
Existence of the files and Registry keys detailed above


http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101166