Threat Descriptions

Worm:W32/Bagle.M

Classification

Category :

Malware

Type :

Worm

Platform :

W32

Aliases :

TrojanProxy.Win32.Mitglieder.T, W32/Bagle.M, I-Worm.Bagle.m, Mitglieder.T

Summary

Worm:W32/Bagle.M drops a variant of Trojan-Proxy:W32/Mitglieder on an infected computer. The worm has no replication routine; instead it is distributed to new victims by trojan-proxies.

Removal

For removal instructions specific to Bagle infections, see Email-Worm:W32/Bagle.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm's file is a PE executable about 14336 bytes in size packed with UPX file compressor.

Bagle.M was first reported on March 11th, 2004

Installation

When first executed, the worm copies itself as

  • SYSWRUN4X.EXE

to the Windows System folder and creates a startup key for this file in the Registry:

  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "usrgtway.exe" = "%winsysdir%\SYSWRUN4X.EXE"

where %winsysdir% represents Windows System folder name.

The worm then drops 2 more files into the Windows System folder:

  • WINDLLZUP.EXE
  • BGXTDLL.EXE.

Both files are DLLs (Dynamic Link Libraries).

The WINDLLZUP.EXE is a loader for BGXTDLL.EXE file. It allows both files to become DLLs used by EXPLORER.EXE file (one of the main Windows components). The BGXTDLL.EXE file is a new variant of Mitglieder proxy trojan.

Activity

Once installed and activated, the Mitglieder trojan-proxy generates a random number in order to select a port it can use to listen for remote commands and use as a mail relay. The port number selected is always larger than 2000.

The trojan connects to 2 sites in the .INFO domain to report the infected machine's IP address and proxy port. It also connects to 2 sites to download a list of banned IP addresses that the proxy will ignore.

Additionally, the trojan tries to kill processes that belongs to certain anti-virus and security software.