F-Secure
Tools
Trojan:W32/Bagle.GF
| Name : | Trojan:W32/Bagle.GF |
| Detection Names : | W32/Bagle.GF Email-Worm.Win32.Bagle.gf, Trojan-Downloader.Win32.Bagle.gf |
| Category: | Malware |
| Type: | Trojan |
| Platform: | W32 |
| Date of Discovery: | February 13, 2006 |
Summary
A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.
Disinfection
For removal instructions specific to Bagle infections, see Email-Worm:W32/Bagle.
For more general information on disinfection, please see Removal Instructions.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Trojan:W32/Bagle.GF sets up a proxy service on the infected machine. Through the proxy, Bagle authors can send spam or access other network resources.
This Bagle related malware was found on the 23rd of March 2006.
Installation
When the trojan file is run, it copies itself as:
%System% represents the Windows System folder.
The trojan installs the following registry launchpoint as a string value:
The trojan uses a named mutex "555" for ensuring that only one copy of the trojan is run at the same time.
Payload
The main payload of the trojan is a proxy service listening on a fixed port. The port, along with other information about the infected system is periodically sent to the following list of web servers:
The proxy has a simple access control mechanism which prevents a certain list of addresses from using the proxy. The trojan obtains this list from another set of web servers:
Detection
F-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version]
Version = 2006-03-23_04
This Bagle related malware was found on the 23rd of March 2006.
Installation
When the trojan file is run, it copies itself as:
• %System%\wintems.exe
%System% represents the Windows System folder.
The trojan installs the following registry launchpoint as a string value:
• [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"german.exe" = "%System%\wintems.exe"
"german.exe" = "%System%\wintems.exe"
The trojan uses a named mutex "555" for ensuring that only one copy of the trojan is run at the same time.
Payload
The main payload of the trojan is a proxy service listening on a fixed port. The port, along with other information about the infected system is periodically sent to the following list of web servers:
• http:// 8marta.ru/img/path/[removed]
• http:// asvt.ru/images/[removed]
• http:// avistrade.ru/prog/img/proizvod/[removed]
• http:// calimasurf.com/images/base/orig/[removed]
• http:// celebrationsinspain.com/images/[removed]
• http:// coral-adventures.com/images/[removed]
• http:// dearruthie.com/images/[removed]
• http:// dmax.ru/images/[removed]
• http:// efpa-eg.net/images/[removed]
• http:// ferrumcomp.ru/images/[removed]
• http:// financialbusiness.ca/images/[removed]
• http:// golden-ring.net/images/[removed]
• http:// goodbathscents.com/images/[removed]
• http:// jamminjo.com/images/[removed]
• http:// kmold.biz/images/[removed]
• http:// kokon.com/images/[removed]
• http:// komt.ru/images/[removed]
• http:// magian.ru/images/[removed]
• http:// merkur-akademie.de/images/[removed]
• http:// mir-vesov.ru/p/lang/CVS/[removed]
• http:// monomah-city.ru/vakans/[removed]
• http:// nakorable.ru/htdocs/img/[removed]
• http:// optimsasia.com/images/[removed]
• http:// pvcps.ru/images/[removed]
• http:// raz-naraz.wz.cz/html/fanklub/[removed]
• http:// redshop.ru/images/[removed]
• http:// roszvetmet.com/images/[removed]
• http:// schiffsparty.de/bilder/uploads/[removed]
• http:// sdom.ru/images/[removed]
• http:// service6.valuehost.ru/images/[removed]
• http:// spbso.ru/images/[removed]
• http:// stroyindustry.ru/service/construction/[removed]
• http:// vladzernoproduct.ru/control/sell/t/[removed]
• http:// www.13tw22rigobert.de/_themes/kopie-von-fantasie-in-blau/[removed]
• http:// www.deadlygames.de/DG/BF/BF-Links/clans/[removed]
• http:// www.emil-zittau.de/karten/[removed]
• http:// www.etype.hostingcity.net/mysql_admin_new/images/[removed]
• http:// www.levada.ru/htmlarea/images/[removed]
• http:// www.mirage.ru/sport/omega/pic/omega/[removed]
• http:// www.ordendeslichts.de/intern/[removed]
The proxy has a simple access control mechanism which prevents a certain list of addresses from using the proxy. The trojan obtains this list from another set of web servers:
• http:// avistrade.ru/prog/img/proizvod/[removed]
• http:// mir-vesov.ru/p/lang/CVS/[removed]
• http:// monomah-city.ru/vakans/[removed]
• http:// pvcps.ru/images/[removed]
• http:// service6.valuehost.ru/images/[removed]
• http:// trehrechie.ru/images/[removed]
• http:// turnstylesticketing.com/images/[removed]
• http:// twilightzone.cz/distro/[removed]
• http:// vniipo.ru/images/_notes/[removed]
• http:// voelckergmbh.de/images/[removed]
• http:// vserozetki.ru/images/[removed]
• http:// vtr-spb.ru/fp/mikrobus/gazel/[removed]
• http:// www.13tw22rigobert.de/_themes/kopie-von-fantasie-in-blau/[removed]
• http:// www.belteh.ru/images/ludi/[removed]
• http:// www.bmblawfirm.com/images/[removed]
• http:// www.enertelligence.com/playitsafe/images/[removed]
• http:// www.enkor.ru/images/[removed]
• http:// www.g-antssoft.com/images/icon/jpg/blog/[removed]
Detection
F-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version]
Version = 2006-03-23_04