McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Download.Ject.C (Symantec)

• Download.Ject.D (Symantec)

• Troj/BagleDl-A (Sophos)

• W32.Beagle.AQ@mm (Symantec)

• W32/Bagle.AV.worm (Panda)

• Win32.Bagle.AI!downloader (CA)

• Win32.Glieder.H (CA)

• Win32.Glieder.I (CA)

• WORM_BAGLE.AI (Trend)

• WORM_BAGLE.AL (Trend)

Characteristics

-- Update September 1st, 2004 --
This threat has been updated to Low-Profiled due to media attention at:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1003551,00.html

-- Update August 31, 2004 --
A new Bagle variant was discovered.  Messages received contain the following information:

Subject: foto
Body: foto
Attachment: foto.zip or foto1.zip ( containing foto.html and foto1.exe)

foto.html contains the JS/IllWill trojan, proactively detected with the 4260 DATs or higher.

foto1.exe contains the W32/Bagle.dll.dr trojan, proactively detected with the 4385 DATs or higher.
--

This is a generic detection of trojans that drop a Bagle related .DLL file.  Typically such DLLs attempt to terminate various antivirus and firewall software, and download and execute another file from a remote site.

Symptoms

Unexpected outbound TCP traffic on port 80 and unexpected termination of security software.

There are dozens of variants of this trojan.  An example of the symptoms of this family is as follows:

When run, it copies itself to the WINDOWS SYSTEM (%SysDir%), such as gdqfw.exe  and doriot.exe and creates registry run keys to load itself at system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "wersds.exe" = C:\WINDOWS\System32\doriot.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "wersds.exe" = C:\WINDOWS\System32\doriot.exe

The trojan attempts to terminate various software, containg the following process names:

• ATUPDATER.EXE
• AUPDATE.EXE
• AUTOTRACE.EXE
• AUTOUPDATE.EXE
• FIREWALL.EXE
• ATUPDATER.EXE
• LUALL.EXE
• DRWEBUPW.EXE
• AUTODOWN.EXE
• NUPGRADE.EXE
• OUTPOST.EXE
• ICSSUPPNT.EXE
• ICSUPP95.EXE
• ESCANH95.EXE
• AVXQUAR.EXE
• ESCANHNT.EXE
• UPGRADER.EXE
• AVXQUAR.EXE
• AVWUPD32.EXE
• AVPUPD.EXE
• CFIAUDIT.EXE
• UPDATE.EXE
• NUPGRADE.EXE
• MCUPDATE.EXE

Finally, the trojan attempts to download a file from over 100 different websites.

Method of Infection

This trojan is mass-mailed by various Bagle variants.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Download.Ject.C (Symantec)

• Download.Ject.D (Symantec)

• Troj/BagleDl-A (Sophos)

• W32.Beagle.AQ@mm (Symantec)

• W32/Bagle.AV.worm (Panda)

• Win32.Bagle.AI!downloader (CA)

• Win32.Glieder.H (CA)

• Win32.Glieder.I (CA)

• WORM_BAGLE.AI (Trend)

• WORM_BAGLE.AL (Trend)

Characteristics

Characteristics -

-- Update September 1st, 2004 --
This threat has been updated to Low-Profiled due to media attention at:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1003551,00.html

-- Update August 31, 2004 --
A new Bagle variant was discovered.  Messages received contain the following information:

Subject: foto
Body: foto
Attachment: foto.zip or foto1.zip ( containing foto.html and foto1.exe)

foto.html contains the JS/IllWill trojan, proactively detected with the 4260 DATs or higher.

foto1.exe contains the W32/Bagle.dll.dr trojan, proactively detected with the 4385 DATs or higher.
--

This is a generic detection of trojans that drop a Bagle related .DLL file.  Typically such DLLs attempt to terminate various antivirus and firewall software, and download and execute another file from a remote site.

Symptoms

Symptoms -

Unexpected outbound TCP traffic on port 80 and unexpected termination of security software.

There are dozens of variants of this trojan.  An example of the symptoms of this family is as follows:

When run, it copies itself to the WINDOWS SYSTEM (%SysDir%), such as gdqfw.exe  and doriot.exe and creates registry run keys to load itself at system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "wersds.exe" = C:\WINDOWS\System32\doriot.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "wersds.exe" = C:\WINDOWS\System32\doriot.exe

The trojan attempts to terminate various software, containg the following process names:

• ATUPDATER.EXE
• AUPDATE.EXE
• AUTOTRACE.EXE
• AUTOUPDATE.EXE
• FIREWALL.EXE
• ATUPDATER.EXE
• LUALL.EXE
• DRWEBUPW.EXE
• AUTODOWN.EXE
• NUPGRADE.EXE
• OUTPOST.EXE
• ICSSUPPNT.EXE
• ICSUPP95.EXE
• ESCANH95.EXE
• AVXQUAR.EXE
• ESCANHNT.EXE
• UPGRADER.EXE
• AVXQUAR.EXE
• AVWUPD32.EXE
• AVPUPD.EXE
• CFIAUDIT.EXE
• UPDATE.EXE
• NUPGRADE.EXE
• MCUPDATE.EXE

Finally, the trojan attempts to download a file from over 100 different websites.

Method of Infection

Method of Infection -

This trojan is mass-mailed by various Bagle variants.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

N/A