F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Bagle.AK

[Summary] | [Detection]



NAME:Bagle.AK
ALIAS:W32/Bagle.AK.dropper, W32/Bagle.AK.downloader, W32/Bagle.dll.dr
ALIAS:TrojanDropper.Win32.Small.kv, W32/Mitglieder.AA

Update on September 1st, 2004

We decided to rename the malware that was originally detected as 'Bagle.AK' to 'Glieder.H'. For Glieder description please check the following link:

http://www.f-secure.com/v-descs/gliederh.shtml

Summary

We have received samples of this new Bagle variant late on August 31st 2004. The origin was an e-mail message that was spammed to numerous people. The e-mail contains an archive named FOTO.ZIP. Inside there's an HTML file and an EXE file named FOTO1.EXE. This EXE file is a dropper. It drops and activates a DLL component that kills processes belonging to updating components of several anti-virus programs and then tries to connect to several websites and download a file from them. The URLs are hardcoded in the program's body.

Detection

F-Secure Anti-Virus detects Glieder.H (former Bagle.AK) starting from the following update:

[FSAV_Database_Version]

Version=2004-08-31_03

Back to the Top


Writeup: Alexey Podrezov, August 31st, 2004;

Description Updated: Alexey Podrezov, September 1st, 2004;

F-Secure Corporation