F-Secure Virus Information Pages: Bagle.M

Main Index

Security Guide

F-Secure World Map

Security Alerts

Virus Statistics

Malware Removal Tools

Malware Code Glossary

Submit Malware Sample

Select local site

Main Index » Security Centre » Descriptions

F-Secure Virus Information Pages: Bagle.M

[Summary] \| [Disinfection] \| [Detailed Description]
Name :	Bagle.M
Alias:	I-Worm.Bagle.m, Mitglieder.T, W32/Bagle.M, TrojanProxy.Win32.Mitglieder.T
Type:	Virus
Category:	Virus
Platform:	Win32

Radar

Summary

Another new Bagle variant appeared on March 11th, 2004. This
variant drops a new Mitglieder proxy trojan variant on an
infected computer. Bagle.M does not have its own replication
routine, so it was most likely spammed using computers where proxy
trojans were installed.

Back to the Top

Disinfection

F-Secure provides the special disinfection utility to eliminate Bagle.M worm infection. You can download this utility from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip

Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.

System administrators can download the JAR version from:

http://www.europe.f-secure.com/tools/f-bagle.jar

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-bagle.jar

Back to the Top

Detailed Description

The Bagle.M's file is a PE executable about 14336 bytes in size packed with UPX file compressor.

When it is run, it copies itself as SYSWRUN4X.EXE file to Windows System folder and creates a startup key for this file in the Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"usrgtway.exe" = "%winsysdir%\SYSWRUN4X.EXE"

where %winsysdir% represents Windows System folder name.

Then Bagle.M drops 2 more files into Windows System folder: WINDLLZUP.EXE and BGXTDLL.EXE. Both files are DLLs (Dynamic Link Libraries). The WINDLLZUP.EXE is a loader for BGXTDLL.EXE file. It allows both files to become DLLs used by EXPLORER.EXE file (one of the main Windows components).

The BGXTDLL.EXE file is a new variant of Mitglieder proxy trojan. When activated, it generates a random number for its port (this number is always larger than 2000), listens for remote commands and works as a mail relay. The trojan connects to 2 sites in .INFO domain to report user's IP address and proxy port. Also the trojan connects to 2 sites to download a list of banned IP addresses that the proxy will ignore.

Additionally, the trojan tries to kill the processes that belongs to certain anti-virus and security software.

The description of a previous Mitglieder proxy trojan can be found here:

http://www.f-secure.com/v-descs/mitglieder_h.shtml

Back to the Top

F-Secure Corporation

Last Modified: January 01, 2006