Trojan Name Risk Assessment
W32/Bagle.x!proxy Corporate User : Low
Home User : Low
Trojan Information
Discovery Date: 04/08/2004
Origin: Unknown
Length: 7,824 bytes (FSG packed)
Type: Trojan
SubType: Win32
Minimum DAT:
Release Date: 4349
04/07/2004
Minimum Engine: 4.2.40
Description Added: 04/07/2004
Description Modified: 04/07/2004 8:46 AM (PT)
Description Menu
Trojan Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Trojan Characteristics:
This detection is for a new variant of W32/Bagle. Unlike the majority of its predecessors, this variant does not mass-mail itself. It simply serves as a proxy trojan on the victim machine (akin to W32/Bagle.l!proxy ).
When run on the victim machine, it installs itself as WINDOW.EXE in the Windows system directory:
%SysDir%\WINDOW.EXE
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "window.exe" = %SysDir%\WINDOW.EXE
A HTTP request is sent to one of a few servers to notify the hacker of its installation. The port number and id number are passed to a remote script. Users should block HTTP access to the following domains:
http://(remove this)bohema.amillo.net
http://(remove this)abc517.net
http://(remove this)
A port is opened on the victim machine, and the malware serves as a mail relay.
Various data (port, id, and process id number) is stored within the following Registry key, which is added:
HKEY_CURRENT_USER\Software\Timeout
This variant does not terminate the processes related to security products on the victim machine.
Top of Page
Symptoms
Unexpected port (TCP) open on the victim machine (eg. 14247)
Existence of the files and Registry keys detailed above
Top of Page
Method Of Infection
This variant serves as a proxy trojan on the victim machine. Once running it could be used as a mail relay.
Top of Page
Removal Instructions
All Users:
Use specified engine and DAT files for detection.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.
__________________________________________
Actualizarse siempre con las últimas versiones y mucho cuidado!!!
saludos
ms, 07-04-2004