Win32/Bagle.Downloader.Trojan

Discussion in 'malware problems & news' started by ronjor, Aug 31, 2004.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,797
    Location:
    Texas
    Aliases: Bagle.AK
    Download.Ject.D
    JScript/IE.VM.Exploit
    Troj/BagleDl-A
    W32/Bagle.AK.downloader
    W32/Bagle.AK.dropper
    Win32/Bagle.Downloader.Trojan
    WORM_BAGLE.AI
    Virus Alerts: Secunia issued a MEDIUM RISK alert for this virus.
    2004-09-01 02:40

    The e-mail contains an archive named FOTO.ZIP. Inside there's an HTML file and an EXE file named FOTO.EXE. This EXE file is a dropper. It drops and activates a DLL component that kills processes belonging to updating components of several anti-virus programs and then tries to connect to several websites. The URLs are hardcoded in the program's body.

    Secunia
     
  2. FanJ

    FanJ Guest

    TrendMicro :

    As of August 31, 2004, 2:50 PM (GMT -07:00, Daylight Savings Time) PST, TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AI. TrendLabs has received several infection reports indicating that this malware is spreading in Brazil, US, and Canada.

    This mass-mailing worm is executed by HTML_BAGLE.AI, and is packaged as a .ZIP compressed file. Upon execution, it drops a copy of itself as DORIOT.EXE in the Windows system folder. It creates registry entries to ensure its automatic execution at every Windows startup.

    This worm attempts to download and execute its malware components from certain URLs. It also kills certain processes that are mostly related to antivirus programs.

    It runs on Windows 95, 98, ME, NT, 2000, and XP.

    Read more:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AI
     
  3. FanJ

    FanJ Guest

  4. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Trend NewsLetter: WORM_BAGLE.AI

    WORM_BAGLE.AI usually arrives via email packaged as a .ZIP compressed file. Similar to WORM_BAGLE.AC, this worm does not directly send itself via email to target recipients as an email attachment. It has an HTML script component that executes it, and a Trojan component that downloads it as a .JPG file from certain sites. The downloaded files are then saved as _re_file.exe in the Windows folder. As of this writing, however, the download sites are either down or non-existent. This worm also terminates certain antivirus processes. On Windows 2000, XP and 2003, it stops and disables the Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) service. This BAGLE variant is currently spreading in-the-wild and infecting computers running Windows 95, 98, ME, NT, 2000, and XP.

    Upon execution, it drops a copy of itself as DORIOT.EXE in the Windows system folder, and also drops a Trojan downloader component GDQFW.EXE in the same folder. To allow it to automaticly execute at every Windows startup, this worm creates two autorun registry entries.

    This worm has a Trojan downloader component that downloads approximately 131 files and saves them as _re_file.exe in the Windows folder. The Trojan downloader component also creates a thread that terminates several processes every second. These processes it terminates are mostly associated with antivirus applications.

    If you would like to scan your computer for WORM_BAGLE.AI or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    WORM_BAGLE.AI is detected and cleaned by Trend Micro pattern file 2.169.02 and above.
     
Thread Status:
Not open for further replies.