McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• TROJ_BAGLE.DM (Trend Micro)

• Trojan-Downloader.Win32.Bagle.ae (Kaspersky)

• Trojan.DL.Bagle.HC (VirusBuster)

• W32.Beagle.DV (Symantec)

• W32/Bagle.HL.worm (Panda)

Characteristics

W32/Bagle.dw is a trojan downloader that attempts to download and execute files from various compromised websites. As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

Upon execution, it displays a fake dialog box prompting the user to select a file to crack.

Irrespective of whatever file the user selects, the following message box is displayed.

Drops the following files:

%WINDIR%\%SYSTEM%\ldr64.dll (detected as W32/Bagle.dw.dldr)
%Temp%\_ex[RANDOM NUMBER].tmp (zero byte file)

Adds the following values to the registry to auto start itself when Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64
"LdCount"=dword:00000000
"prevt"=dword:00000000
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"="ldr64.dll"
"Startup"="Startup"

Symptoms

W32/Bagle.dw.dldr attempts to download files from the following URLs:

ala-bg.net[Removed]/444.jpg
allinfo.com.au[Removed]/444.jpg
americasenergyco.com[Removed]/444.jpg
amerykaameryka.com[Removed]/444.jpg
amistra.com[Removed]/444.jpg
analisisyconsultoria.com[Removed]/444.jpg
calamarco.com[Removed]/444.jpg
eleceltek.com[Removed]/444.jpg
www.americarising.com[Removed]/444.jpg
www.bbrealservis.sk[Removed]/444.jpg
www.befag.ru[Removed]/444.jpg
www.benininfo.com[Removed]/444.jpg
www.bennylife.com[Removed]/444.jpg
www.bestcheapdomainregistration.info[Removed]/444.jpg
www.bidsforbaby.com[Removed]/444.jpg
www.binhaigolf.com[Removed]/444.jpg
www.biotenk.com[Removed]/444.jpg
www.bitsolution.ro[Removed]/444.jpg
www.boldrussell.com[Removed]/444.jpg
www.bronko-m.ru[Removed]/444.jpg
www.bulkemailservicenow.com[Removed]/444.jpg
www.bulkemaildirectmarketing.com[Removed]/444.jpg
www.calidad.biz[Removed]/444.jpg
www.cansew.ca[Removed]/444.jpg
www.cansultdubai.ae[Removed]/444.jpg
www.casaquecanta.com[Removed]/444.jpg
www.chilotitomarino.cl[Removed]/444.jpg
www.chinaculturedpearl.com[Removed]/444.jpg
www.casino-malibu.ru[Removed]/444.jpg
www.colin18.com[Removed]/444.jpg
www.connectesl.com[Removed]/444.jpg
www.khonkaenpoc.com[Removed]/444.jpg
www.nmtltd.com[Removed]/444.jpg
www.vnettools.com[Removed]/444.jpg

NOTE: At the time of writing this description, McAfee AVERT did not see the downloading of any files as they may have been moved or deleted at the remote site

Method of Infection

This downloader trojan is dropped by W32/Bagle.dw that was mass spammed on February 25th, 2006.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• TROJ_BAGLE.DM (Trend Micro)

• Trojan-Downloader.Win32.Bagle.ae (Kaspersky)

• Trojan.DL.Bagle.HC (VirusBuster)

• W32.Beagle.DV (Symantec)

• W32/Bagle.HL.worm (Panda)

Characteristics

Characteristics -

W32/Bagle.dw is a trojan downloader that attempts to download and execute files from various compromised websites. As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

Upon execution, it displays a fake dialog box prompting the user to select a file to crack.

Irrespective of whatever file the user selects, the following message box is displayed.

Drops the following files:

%WINDIR%\%SYSTEM%\ldr64.dll (detected as W32/Bagle.dw.dldr)
%Temp%\_ex[RANDOM NUMBER].tmp (zero byte file)

Adds the following values to the registry to auto start itself when Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64
"LdCount"=dword:00000000
"prevt"=dword:00000000
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"="ldr64.dll"
"Startup"="Startup"

Symptoms

Symptoms -

W32/Bagle.dw.dldr attempts to download files from the following URLs:

ala-bg.net[Removed]/444.jpg
allinfo.com.au[Removed]/444.jpg
americasenergyco.com[Removed]/444.jpg
amerykaameryka.com[Removed]/444.jpg
amistra.com[Removed]/444.jpg
analisisyconsultoria.com[Removed]/444.jpg
calamarco.com[Removed]/444.jpg
eleceltek.com[Removed]/444.jpg
www.americarising.com[Removed]/444.jpg
www.bbrealservis.sk[Removed]/444.jpg
www.befag.ru[Removed]/444.jpg
www.benininfo.com[Removed]/444.jpg
www.bennylife.com[Removed]/444.jpg
www.bestcheapdomainregistration.info[Removed]/444.jpg
www.bidsforbaby.com[Removed]/444.jpg
www.binhaigolf.com[Removed]/444.jpg
www.biotenk.com[Removed]/444.jpg
www.bitsolution.ro[Removed]/444.jpg
www.boldrussell.com[Removed]/444.jpg
www.bronko-m.ru[Removed]/444.jpg
www.bulkemailservicenow.com[Removed]/444.jpg
www.bulkemaildirectmarketing.com[Removed]/444.jpg
www.calidad.biz[Removed]/444.jpg
www.cansew.ca[Removed]/444.jpg
www.cansultdubai.ae[Removed]/444.jpg
www.casaquecanta.com[Removed]/444.jpg
www.chilotitomarino.cl[Removed]/444.jpg
www.chinaculturedpearl.com[Removed]/444.jpg
www.casino-malibu.ru[Removed]/444.jpg
www.colin18.com[Removed]/444.jpg
www.connectesl.com[Removed]/444.jpg
www.khonkaenpoc.com[Removed]/444.jpg
www.nmtltd.com[Removed]/444.jpg
www.vnettools.com[Removed]/444.jpg

NOTE: At the time of writing this description, McAfee AVERT did not see the downloading of any files as they may have been moved or deleted at the remote site

Method of Infection

Method of Infection -

This downloader trojan is dropped by W32/Bagle.dw that was mass spammed on February 25th, 2006.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A