F-Secure
Tools
Bagle.M
| Name : | Bagle.M |
| Category: | Virus |
| Type: | Virus |
| Platform: | Win32 |
Summary
Another new Bagle variant appeared on March 11th, 2004. This
variant drops a new Mitglieder proxy trojan variant on an
infected computer. Bagle.M does not have its own replication
routine, so it was most likely spammed using computers where proxy
trojans were installed.
Disinfection
F-Secure provides the special disinfection utility to eliminate Bagle.M worm infection. You can download this utility from our ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip
Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt
System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.
System administrators can download the JAR version from:
http://www.europe.f-secure.com/tools/f-bagle.jar
ftp://ftp.europe.f-secure.com/anti-virus/tools/f-bagle.jar
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip
Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt
System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.
System administrators can download the JAR version from:
http://www.europe.f-secure.com/tools/f-bagle.jar
ftp://ftp.europe.f-secure.com/anti-virus/tools/f-bagle.jar
Additional Details
The Bagle.M's file is a PE executable about 14336 bytes in size packed with UPX file compressor.
When it is run, it copies itself as SYSWRUN4X.EXE file to Windows System folder and creates a startup key for this file in the Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"usrgtway.exe" = "%winsysdir%\SYSWRUN4X.EXE"
where %winsysdir% represents Windows System folder name.
Then Bagle.M drops 2 more files into Windows System folder: WINDLLZUP.EXE and BGXTDLL.EXE. Both files are DLLs (Dynamic Link Libraries). The WINDLLZUP.EXE is a loader for BGXTDLL.EXE file. It allows both files to become DLLs used by EXPLORER.EXE file (one of the main Windows components).
The BGXTDLL.EXE file is a new variant of Mitglieder proxy trojan. When activated, it generates a random number for its port (this number is always larger than 2000), listens for remote commands and works as a mail relay. The trojan connects to 2 sites in .INFO domain to report user's IP address and proxy port. Also the trojan connects to 2 sites to download a list of banned IP addresses that the proxy will ignore.
Additionally, the trojan tries to kill the processes that belongs to certain anti-virus and security software.
The description of a previous Mitglieder proxy trojan can be found here:
http://www.f-secure.com/v-descs/mitglieder_h.shtml
When it is run, it copies itself as SYSWRUN4X.EXE file to Windows System folder and creates a startup key for this file in the Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"usrgtway.exe" = "%winsysdir%\SYSWRUN4X.EXE"
where %winsysdir% represents Windows System folder name.
Then Bagle.M drops 2 more files into Windows System folder: WINDLLZUP.EXE and BGXTDLL.EXE. Both files are DLLs (Dynamic Link Libraries). The WINDLLZUP.EXE is a loader for BGXTDLL.EXE file. It allows both files to become DLLs used by EXPLORER.EXE file (one of the main Windows components).
The BGXTDLL.EXE file is a new variant of Mitglieder proxy trojan. When activated, it generates a random number for its port (this number is always larger than 2000), listens for remote commands and works as a mail relay. The trojan connects to 2 sites in .INFO domain to report user's IP address and proxy port. Also the trojan connects to 2 sites to download a list of banned IP addresses that the proxy will ignore.
Additionally, the trojan tries to kill the processes that belongs to certain anti-virus and security software.
The description of a previous Mitglieder proxy trojan can be found here:
http://www.f-secure.com/v-descs/mitglieder_h.shtml