Another new Bagle variant appared. It is very similar to Bagle.L
and Bagle.M variants, but drops a bit different Mitglieder proxy
trojan variant on an infected computer. Bagle.O, like the
previous .L and .M variants does not have its own replication
routine, so it was most likely spammed using computers where
proxy trojans were installed.
Disinfection
F-Secure provides the special disinfection utility to eliminate
Bagle.O worm infection. You can download this utility from our
ftp site:
where %winsysdir% represents Windows System folder name.
Then Bagle.O drops 2 more files into Windows System folder:
WINDLLZUP.EXE and BGXTDLL.EXE. Both files are DLLs (Dynamic Link
Libraries). The WINDLLZUP.EXE is a loader for BGXTDLL.EXE file.
It allows both files to become DLLs used by EXPLORER.EXE file
(one of the main Windows components).
The BGXTDLL.EXE file is a new variant of Mitglieder proxy trojan.
When activated it generates a random number for its port (this
number is always larger than 2000), listens for remote commands
and works as a mail relay. The trojan connects to 2 sites in
.INFO domain to report user's IP address and proxy port. Also the
trojan connects to 2 sites to download a list of banned IP
addresses that the proxy will ignore.
Additionally the trojan tries to kill processes that belong to
certain anti-virus and security software.
The description of a previous Mitglieder proxy trojan can be
found here:
![](/images/pixel.gif"){kind=tracking}
