Content

W32/Bagle.dk

Type
Trojan
SubType
Downloader
Discovery Date
11/01/2005
Length
9,278 bytes
Minimum DAT
4617 (11/01/2005)
Updated DAT
4984 (03/14/2007)
Minimum Engine
5.1.00
Description Added
11/01/2005
Description Modified
11/01/2005 10:44 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a downloader trojan.  However, like previous Bagle variants, it is likely that in the near future, the author(s) will post an accompanying EXE file on a remote server, which SPAMs new versions of Bagle (not to addresses harvested on the local system, but to addresses specified in spam lists also on remote web servers).

This trojan was mass-spammed in a ZIP attachment and may use any one of the following filenames:

  • The_new_prices.zip
  • Info_Prices.zip
  • Health_and_knowledge.zip
  • text_sms.zip
  • max.zip
  • Business.zip
  • Business_dealing.zip

The ZIP file contains a file named loader.exe

Symptoms

When run, the trojan copies itself into the Windows system directory as HLOADER_EXE.EXE, for example:

C:\WINNT\SYSTEM32\HLOADER_EXE.EXE

It also creates a DLL file in this directory to perform its functions:

  • HLEADER_DLL.DLL  (5,632 bytes)

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "auto_hloader_key" = C:\WINNT\SYSTEM32\HLOADER_EXE.EXE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "auto_hloader_key" = C:\WINNT\SYSTEM32\HLOADER_EXE.EXE

Upon reboot, the trojan injects the HLEADER_DLL.DLL file into the explorer.exe process.  This DLL contains a list of websites to check for updates.

The domains contacted are as follows:

  • www.aro-tec.com
  • sarancha.ru
  • home.1000km.ru
  • www.stanislawkowalczyk.netstrefa.com
  • 1st-new-orleans-hotels.com
  • www.OTT-INSIDE.de
  • lifejacks.de
  • 25kadr.org
  • africa-tours.de
  • wunderlampe.com
  • charlies-truckerpage.de
  • template.nease.net
  • s89.tku.edu.tw
  • phrmg.org
  • www.etwas-mode.de
  • www.rewardst.com
  • 757555.ru
  • www.8ingatlan.hu
  • oklens.co.jp
  • www.a2zhostings.com
  • www.abavitis.hu
  • abtechsafety.com
  • acentrum.pl
  • www.adamant-np.ru
  • furdoszoba.info
  • adavenue.net
  • ccooaytomadrid.org
  • abtechsafety.com
  • av2026.comex.ru
  • 80.146.233.41
  • www.barth.serwery.pl
  • www.leap.co.il
  • virt33.kei.pl
  • www.bmswijndepot.com
  • 209.126.128.203
  • www.timecontrol.com.pl
  • adoptionscanada.ca
  • 65.108.195.73
  • tkdami.net
  • www.ubu.pl
  • adventecgroup.com
  • sacafterdark.net
  • agenciaspublicidadinternet.com
  • www.agroturystyka.artneo.pl
  • kepter.kz
  • ahava.cafe24.com
  • mijusungdo.net
  • aibsnlea.org
  • aikidan.com
  • 202.44.52.38
  • drinkwater.ru
  • ala-bg.net
  • allinfo.com.au
  • eleceltek.com
  • alevibirligi.ch
  • alfaclassic.sk
  • allanconi.it
  • www.americarising.com
  • americasenergyco.com
  • amerykaameryka.com
  • amistra.com
  • analisisyconsultoria.com
  • calamarco.com

Method of Infection

This trojan was mass spammed on November 1, 2005.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • W32/Bagle.dk@MM

Characteristics

Characteristics -

This is a downloader trojan.  However, like previous Bagle variants, it is likely that in the near future, the author(s) will post an accompanying EXE file on a remote server, which SPAMs new versions of Bagle (not to addresses harvested on the local system, but to addresses specified in spam lists also on remote web servers).

This trojan was mass-spammed in a ZIP attachment and may use any one of the following filenames:

  • The_new_prices.zip
  • Info_Prices.zip
  • Health_and_knowledge.zip
  • text_sms.zip
  • max.zip
  • Business.zip
  • Business_dealing.zip

The ZIP file contains a file named loader.exe

Symptoms

Symptoms -

When run, the trojan copies itself into the Windows system directory as HLOADER_EXE.EXE, for example:

C:\WINNT\SYSTEM32\HLOADER_EXE.EXE

It also creates a DLL file in this directory to perform its functions:

  • HLEADER_DLL.DLL  (5,632 bytes)

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "auto_hloader_key" = C:\WINNT\SYSTEM32\HLOADER_EXE.EXE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "auto_hloader_key" = C:\WINNT\SYSTEM32\HLOADER_EXE.EXE

Upon reboot, the trojan injects the HLEADER_DLL.DLL file into the explorer.exe process.  This DLL contains a list of websites to check for updates.

The domains contacted are as follows:

  • www.aro-tec.com
  • sarancha.ru
  • home.1000km.ru
  • www.stanislawkowalczyk.netstrefa.com
  • 1st-new-orleans-hotels.com
  • www.OTT-INSIDE.de
  • lifejacks.de
  • 25kadr.org
  • africa-tours.de
  • wunderlampe.com
  • charlies-truckerpage.de
  • template.nease.net
  • s89.tku.edu.tw
  • phrmg.org
  • www.etwas-mode.de
  • www.rewardst.com
  • 757555.ru
  • www.8ingatlan.hu
  • oklens.co.jp
  • www.a2zhostings.com
  • www.abavitis.hu
  • abtechsafety.com
  • acentrum.pl
  • www.adamant-np.ru
  • furdoszoba.info
  • adavenue.net
  • ccooaytomadrid.org
  • abtechsafety.com
  • av2026.comex.ru
  • 80.146.233.41
  • www.barth.serwery.pl
  • www.leap.co.il
  • virt33.kei.pl
  • www.bmswijndepot.com
  • 209.126.128.203
  • www.timecontrol.com.pl
  • adoptionscanada.ca
  • 65.108.195.73
  • tkdami.net
  • www.ubu.pl
  • adventecgroup.com
  • sacafterdark.net
  • agenciaspublicidadinternet.com
  • www.agroturystyka.artneo.pl
  • kepter.kz
  • ahava.cafe24.com
  • mijusungdo.net
  • aibsnlea.org
  • aikidan.com
  • 202.44.52.38
  • drinkwater.ru
  • ala-bg.net
  • allinfo.com.au
  • eleceltek.com
  • alevibirligi.ch
  • alfaclassic.sk
  • allanconi.it
  • www.americarising.com
  • americasenergyco.com
  • amerykaameryka.com
  • amistra.com
  • analisisyconsultoria.com
  • calamarco.com

Method of Infection

Method of Infection -

This trojan was mass spammed on November 1, 2005.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A