Another Bagle worm variant appeared on March 9th, 2004. This
variant drops a new Mitglieder proxy trojan variant on an
infected computer. Bagle.L does not have its own replication
system, so it was most likely spammed using computers where
proxy trojans were installed.
Disinfection
F-Secure provides the special disinfection utility to eliminate
Bagle.L worm infection. You can download this utility from our
ftp site:
where %winsysdir% represents Windows System folder name.
Then the worm drops 2 more files into Windows System folder:
IINJ4.EXE and SYSTEM.EXE. Both files are DLLs (Dynamic Link
Libraries). The IINJ4.EXE is a loader for SYSTEM.EXE file. It
allows both files to become DLLs used by EXPLORER.EXE file (one
of the main Windows components).
The SYSTEM.EXE file is a new variant of Mitglieder proxy trojan.
When activated it listens on port 11117 for remote commands and
works as a mail relay. The trojan connects to several sites in
Germany and Russia to report user's IP address and proxy port.
Also the trojan connects to several sites to download a list of
banned IP addresses that the proxy will ignore.
Additionally the trojan tries to kill processes that belong to
certain anti-virus and security software.
The description of a previous Mitglieder proxy trojan can be
found here:
![](/images/pixel.gif"){kind=tracking}
