F-Secure Trojan Information Pages : Bagle.GF
This Bagle related malware was found on the 23rd of March 2006. It sets up a proxy service on the infected machine. Through the proxy, Bagle authors can send spam or access other network resources.
System Installation
When the trojan file is run, it copies itself as:
%System%\wintems.exe
%System% represents the Windows System folder.
The trojan installs the following registry launchpoint as a string value:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"german.exe" = "%System%\wintems.exe"
The trojan uses a named mutex "555" for ensuring that only one copy of the trojan is run at the same time.
Payload
The main payload of the trojan is a proxy service listening on a fixed port. The port, along with other information about the infected system is periodically sent to the following list of web servers:
- http:// 8marta.ru/img/path/[removed]
- http:// asvt.ru/images/[removed]
- http:// avistrade.ru/prog/img/proizvod/[removed]
- http:// calimasurf.com/images/base/orig/[removed]
- http:// celebrationsinspain.com/images/[removed]
- http:// coral-adventures.com/images/[removed]
- http:// dearruthie.com/images/[removed]
- http:// dmax.ru/images/[removed]
- http:// efpa-eg.net/images/[removed]
- http:// ferrumcomp.ru/images/[removed]
- http:// financialbusiness.ca/images/[removed]
- http:// golden-ring.net/images/[removed]
- http:// goodbathscents.com/images/[removed]
- http:// jamminjo.com/images/[removed]
- http:// kmold.biz/images/[removed]
- http:// kokon.com/images/[removed]
- http:// komt.ru/images/[removed]
- http:// magian.ru/images/[removed]
- http:// merkur-akademie.de/images/[removed]
- http:// mir-vesov.ru/p/lang/CVS/[removed]
- http:// monomah-city.ru/vakans/[removed]
- http:// nakorable.ru/htdocs/img/[removed]
- http:// optimsasia.com/images/[removed]
- http:// pvcps.ru/images/[removed]
- http:// raz-naraz.wz.cz/html/fanklub/[removed]
- http:// redshop.ru/images/[removed]
- http:// roszvetmet.com/images/[removed]
- http:// schiffsparty.de/bilder/uploads/[removed]
- http:// sdom.ru/images/[removed]
- http:// service6.valuehost.ru/images/[removed]
- http:// spbso.ru/images/[removed]
- http:// stroyindustry.ru/service/construction/[removed]
- http:// vladzernoproduct.ru/control/sell/t/[removed]
- http:// www.13tw22rigobert.de/_themes/kopie-von-fantasie-in-blau/[removed]
- http:// www.deadlygames.de/DG/BF/BF-Links/clans/[removed]
- http:// www.emil-zittau.de/karten/[removed]
- http:// www.etype.hostingcity.net/mysql_admin_new/images/[removed]
- http:// www.levada.ru/htmlarea/images/[removed]
- http:// www.mirage.ru/sport/omega/pic/omega/[removed]
- http:// www.ordendeslichts.de/intern/[removed]
The proxy has a simple access control mechanism which prevents a certain list of addresses from using the proxy. The trojan obtains this list from another set of web servers:
- http:// avistrade.ru/prog/img/proizvod/[removed]
- http:// mir-vesov.ru/p/lang/CVS/[removed]
- http:// monomah-city.ru/vakans/[removed]
- http:// pvcps.ru/images/[removed]
- http:// service6.valuehost.ru/images/[removed]
- http:// trehrechie.ru/images/[removed]
- http:// turnstylesticketing.com/images/[removed]
- http:// twilightzone.cz/distro/[removed]
- http:// vniipo.ru/images/_notes/[removed]
- http:// voelckergmbh.de/images/[removed]
- http:// vserozetki.ru/images/[removed]
- http:// vtr-spb.ru/fp/mikrobus/gazel/[removed]
- http:// www.13tw22rigobert.de/_themes/kopie-von-fantasie-in-blau/[removed]
- http:// www.belteh.ru/images/ludi/[removed]
- http:// www.bmblawfirm.com/images/[removed]
- http:// www.enertelligence.com/playitsafe/images/[removed]
- http:// www.enkor.ru/images/[removed]
- http:// www.g-antssoft.com/images/icon/jpg/blog/[removed]
F-Secure Anti-Virus detects this malware with the following updates: [FSAV_Database_Version] Version = 2006-03-23_04.
Write-up: Jarkko Turkulainen, March 24, 2006
Technical Details: Jarkko Turkulainen, March 24, 2006
Description Updated: Jarkko Turkulainen, March 27, 2006
F-Secure Corporation
|
