Win32/Bagle.Downloader.Trojan

TrendMicro :

As of August 31, 2004, 2:50 PM (GMT -07:00, Daylight Savings Time) PST, TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AI. TrendLabs has received several infection reports indicating that this malware is spreading in Brazil, US, and Canada.

This mass-mailing worm is executed by HTML_BAGLE.AI, and is packaged as a .ZIP compressed file. Upon execution, it drops a copy of itself as DORIOT.EXE in the Windows system folder. It creates registry entries to ensure its automatic execution at every Windows startup.

This worm attempts to download and execute its malware components from certain URLs. It also kills certain processes that are mostly related to antivirus programs.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

Read more:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AI

 

Sophos :

http://www.sophos.com/virusinfo/analyses/trojbagledla.html

 

Trend NewsLetter: WORM_BAGLE.AI

WORM_BAGLE.AI usually arrives via email packaged as a .ZIP compressed file. Similar to WORM_BAGLE.AC, this worm does not directly send itself via email to target recipients as an email attachment. It has an HTML script component that executes it, and a Trojan component that downloads it as a .JPG file from certain sites. The downloaded files are then saved as _re_file.exe in the Windows folder. As of this writing, however, the download sites are either down or non-existent. This worm also terminates certain antivirus processes. On Windows 2000, XP and 2003, it stops and disables the Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) service. This BAGLE variant is currently spreading in-the-wild and infecting computers running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, it drops a copy of itself as DORIOT.EXE in the Windows system folder, and also drops a Trojan downloader component GDQFW.EXE in the same folder. To allow it to automaticly execute at every Windows startup, this worm creates two autorun registry entries.

This worm has a Trojan downloader component that downloads approximately 131 files and saves them as _re_file.exe in the Windows folder. The Trojan downloader component also creates a thread that terminates several processes every second. These processes it terminates are mostly associated with antivirus applications.

If you would like to scan your computer for WORM_BAGLE.AI or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_BAGLE.AI is detected and cleaned by Trend Micro pattern file 2.169.02 and above.