F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Bagle.DC

[Summary] | [Detailed Description] | [Detection]



NAME:Bagle.DC
ALIAS:Email-Worm.Win32.Bagle.dc, Fantibag

Summary

The Bagle.DC is a trojan dropper. It appeared on September 19th, 2005. It is fetched from one of websites by Bagle-related downloaders that appeared yesterday. This trojan dropper drops a DLL file and injects it into Windows Explorer process. The DLL file is a filter that blocks access to certain websites.

Detailed Description

When the trojan dropper is run, it copies itself to Windows folder as FIREWALL_ANTI.EXE file. The trojan creates a startup key for itself in the Registry: 

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "firewall_anti" = "%WinDir%\firewall_anti.exe"

where %WinDir% represents Windows directory.

The trojan dropper extracts a DLL file from its body and writes it with FIREWALL_ANTI.EXE.DLL name to Windows folder. Then this DLL file is injected into Windows Explorer process.

The dropped DLL file is a new variant of a malware that we call 'Fantibag':

http://www.f-secure.com/v-descs/fantibag_b.shtml

This malware is a filter that blocks access to the following sites: 

 www.pandasoftware.com
 pandasoftware.com
 clamav.net
 www.clamav.net
 www.bitdefender.com
 bitdefender.com
 ravantivirus.com
 www.ravantivirus.com
 drweb.ru
 www.drweb.com
 drweb.com
 antivir.de
 www.antivir.de
 216.200.68.152
 212.113.20.69
 63.210.193.12
 84.53.142.22
 84.53.142.6
 kaspersky.ru
 grisoft.com
 www3.ca.com
 www.viruslist.ru
 www.viruslist.com
 www.trendmicro.com
 www.symantec.com
 www.sophos.com
 www.networkassociates.com
 www.nai.com
 www.my-etrust.com
 www.mcafee.com
 www.kaspersky.ru
 www.kaspersky.com
 www.kaspersky-labs.com
 www.grisoft.com
 www.fastclick.net
 www.f-secure.com
 www.awaps.net
 www.avp.ru
 www.avp.com
 www.avp.ch
 windowsupdate.microsoft.com
 viruslist.ru
 viruslist.com
 vil.nai.com
 us.mcafee.com
 updates5.kaspersky-labs.com
 updates4.kaspersky-labs.com
 updates3.kaspersky-labs.com
 updates2.kaspersky-labs.com
 updates1.kaspersky-labs.com
 updates.symantec.com
 update.symantec.com
 trendmicro.com
 symantec.com
 support.microsoft.com
 spd.atdmt.com
 sophos.com
 service1.symantec.com
 securityresponse.symantec.com
 secure.nai.com
 rads.mcafee.com
 phx.corporate-ir.net
 office.microsoft.com
 networkassociates.com
 nai.com
 my-etrust.com
 msdn.microsoft.com
 media.fastclick.net
 mcafee.com
 mast.mcafee.com
 liveupdate.symantecliveupdate.com
 liveupdate.symantec.com
 kaspersky.com
 kaspersky-labs.com
 ids.kaspersky-labs.com
 go.microsoft.com
 ftp.sophos.com
 ftp.kasperskylab.ru
 ftp.f-secure.com
 ftp.downloads2.kaspersky-labs.com
 ftp.avp.ch
 fastclick.net
 f-secure.com
 engine.awaps.net
 downloads4.kaspersky-labs.com
 downloads3.kaspersky-labs.com
 downloads2.kaspersky-labs.com
 downloads1.kaspersky-labs.com
 downloads.microsoft.com
 downloads-us3.kaspersky-labs.com
 downloads-us2.kaspersky-labs.com
 downloads-us1.kaspersky-labs.com
 downloads-eu1.kaspersky-labs.com
 download.microsoft.com
 download.mcafee.com
 dispatch.mcafee.com
 customer.symantec.com
 clicks.atdmt.com
 click.atdmt.com
 www.ca.com
 ca.com
 banners.fastclick.net
 banner.fastclick.net
 awaps.net
 avp.ru
 avp.com
 avp.ch
 atdmt.com
 ar.atwola.com
 ads.fastclick.net
 ad.fastclick.net
 report.bitdefender.com
 upgrade.bitdefender.com
 ad.doubleclick.net


Back to the Top


Detection

F-Secure Anti-Virus detects this malware starting from the following update:

[FSAV_Database_Version]

Version=2005-09-19_06

Back to the Top


Writeup and Technical Details: Alexey Podrezov, September 20th, 2005;

F-Secure Corporation