Threat Descriptions

Trojan:W32/Bagle.GF

Classification

Category :

Malware

Type :

Trojan

Platform :

W32

Aliases :

Trojan:W32/Bagle.GF, W32/Bagle.GF, Email-Worm.Win32.Bagle.gf, Trojan-Downloader.Win32.Bagle.gf

Summary

Trojan:W32/Bagle.GF sets up a proxy service on the infected machine. Through the proxy, Bagle authors can send spam or access other network resources. This Bagle related malware was found on the 23rd of March 2006.

Removal

For removal instructions specific to Bagle infections, see Email-Worm:W32/Bagle.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Installation

When the trojan file is run, it copies itself as:

  • %System%\wintems.exe

%System% represents the Windows System folder.The trojan installs the following registry launchpoint as a string value:

  • [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "german.exe" = "%System%\wintems.exe"

The trojan uses a named mutex "555" for ensuring that only one copy of the trojan is run at the same time.

Payload

The main payload of the trojan is a proxy service listening on a fixed port. The port, along with other information about the infected system is periodically sent to the following list of web servers:

  • https:// 8marta.ru/img/path/[removed]
  • https:// asvt.ru/images/[removed]
  • https:// avistrade.ru/prog/img/proizvod/[removed]
  • https:// calimasurf.com/images/base/orig/[removed]
  • https:// celebrationsinspain.com/images/[removed]
  • https:// coral-adventures.com/images/[removed]
  • https:// dearruthie.com/images/[removed]
  • https:// dmax.ru/images/[removed]
  • https:// efpa-eg.net/images/[removed]
  • https:// ferrumcomp.ru/images/[removed]
  • https:// financialbusiness.ca/images/[removed]
  • https:// golden-ring.net/images/[removed]
  • https:// goodbathscents.com/images/[removed]
  • https:// jamminjo.com/images/[removed]
  • https:// kmold.biz/images/[removed]
  • https:// kokon.com/images/[removed]
  • https:// komt.ru/images/[removed]
  • https:// magian.ru/images/[removed]
  • https:// merkur-akademie.de/images/[removed]
  • https:// mir-vesov.ru/p/lang/CVS/[removed]
  • https:// monomah-city.ru/vakans/[removed]
  • https:// nakorable.ru/htdocs/img/[removed]
  • https:// optimsasia.com/images/[removed]
  • https:// pvcps.ru/images/[removed]
  • https:// raz-naraz.wz.cz/html/fanklub/[removed]
  • https:// redshop.ru/images/[removed]
  • https:// roszvetmet.com/images/[removed]
  • https:// schiffsparty.de/bilder/uploads/[removed]
  • https:// sdom.ru/images/[removed]
  • https:// service6.valuehost.ru/images/[removed]
  • https:// spbso.ru/images/[removed]
  • https:// stroyindustry.ru/service/construction/[removed]
  • https:// vladzernoproduct.ru/control/sell/t/[removed]
  • https:// www.13tw22rigobert.de/_themes/kopie-von-fantasie-in-blau/[removed]
  • https:// www.deadlygames.de/DG/BF/BF-Links/clans/[removed]
  • https:// www.emil-zittau.de/karten/[removed]
  • https:// www.etype.hostingcity.net/mysql_admin_new/images/[removed]
  • https:// www.levada.ru/htmlarea/images/[removed]
  • https:// www.mirage.ru/sport/omega/pic/omega/[removed]
  • https:// www.ordendeslichts.de/intern/[removed]

The proxy has a simple access control mechanism which prevents a certain list of addresses from using the proxy. The trojan obtains this list from another set of web servers:

  • https:// avistrade.ru/prog/img/proizvod/[removed]
  • https:// mir-vesov.ru/p/lang/CVS/[removed]
  • https:// monomah-city.ru/vakans/[removed]
  • https:// pvcps.ru/images/[removed]
  • https:// service6.valuehost.ru/images/[removed]
  • https:// trehrechie.ru/images/[removed]
  • https:// turnstylesticketing.com/images/[removed]
  • https:// twilightzone.cz/distro/[removed]
  • https:// vniipo.ru/images/_notes/[removed]
  • https:// voelckergmbh.de/images/[removed]
  • https:// vserozetki.ru/images/[removed]
  • https:// vtr-spb.ru/fp/mikrobus/gazel/[removed]
  • https:// www.13tw22rigobert.de/_themes/kopie-von-fantasie-in-blau/[removed]
  • https:// www.belteh.ru/images/ludi/[removed]
  • https:// www.bmblawfirm.com/images/[removed]
  • https:// www.enertelligence.com/playitsafe/images/[removed]
  • https:// www.enkor.ru/images/[removed]
  • https:// www.g-antssoft.com/images/icon/jpg/blog/[removed]