W32/Bagle.dv.dldr

This page shows details and results of our analysis on the malware W32/Bagle.dv.dldr

Download Current DAT: 6617

Threat Detail

Malware Type: Trojan

Malware Sub-type: Downloader

Discovery Date: 2006-02-15

Next Steps:

Overview
Characteristics
Symptoms
Method of Infection
Removal

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Minimum DAT

4698 (2006-02-16)

Updated DAT

4782 (2006-06-12)

Minimum Engine

5.1.00

File Length

N/A

Description Added

2006-02-16

Description Modified

2006-02-16

Malware Proliferation

Characteristics

W32/Bagle.dv.dldr is a trojan downloader that attempts to download and execute files from various compromised websites. As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

When executed, the trojan creates a copy of itself into the windows system directory

%WINDIR%\%SYSTEM%\anti_troj.exe

Adds the following values to the registry to auto start itself when Windows starts

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

"anti_troj" = "%WINDIR%\%SYSTEM%2\anti_troj.exe"

Adds the following registry key as a flag that indicates that the system is infected.

HKEY_CURRENT_USER\Software\FirstRRRun
"FirstRun" = "01"

Symptoms

W32/Bagle.dv.dldr attempts to download files from the following URLs:

http://americasenergyco.com[Removed]/mul.php
http://amerykaameryka.com[Removed]/mul.php
http://amistra.com[Removed]/mul.php
http://analisisyconsultoria.com[Removed]/mul.php
http://calamarco.com[Removed]/mul.php
http://www.americarising.com[Removed]/mul.php
http://www.bbrealservis.sk[Removed]/mul.php
http://www.befag.ru[Removed]/mul.php
http://www.benininfo.com[Removed]/mul.php
http://www.bennylife.com[Removed]/mul.php
http://www.bestcheapdomainregistration.info[Removed]/mul.php
http://www.bidsforbaby.com[Removed]/mul.php
http://www.binhaigolf.com[Removed]/mul.php
http://www.biotenk.com[Removed]/mul.php
http://www.bitsolution.ro[Removed]/mul.php
http://www.nmtltd.com[Removed]/mul.php
http://www.vnettools.com[Removed]/mul.php
http://www.boldrussell.com[Removed]/mul.php
http://www.bronko-m.ru[Removed]/mul.php
http://www.bulkemailservicenow.com[Removed]/mul.php
http://www.bulkemaildirectmarketing.com[Removed]/mul.php
http://www.calidad.biz[Removed]/mul.php
http://www.cansew.ca[Removed]/mul.php
http://www.cansultdubai.ae[Removed]/mul.php
http://www.casaquecanta.com[Removed]/mul.php
http://www.chilotitomarino.cl[Removed]/mul.php
http://www.chinaculturedpearl.com[Removed]/mul.php
http://www.casino-malibu.ru[Removed]/mul.php
http://www.colin18.com[Removed]/mul.php
http://www.khonkaenpoc.com[Removed]/mul.php
http://www.connectesl.com[Removed]/mul.php
http://ala-bg.net[Removed]/mul.php
http://allinfo.com.au[Removed]/mul.php
http://eleceltek.com[Removed]/mul.php
http://alevibirligi.ch[Removed]/mul.php
http://alfaclassic.sk[Removed]/mul.php
http://allanconi.it[Removed]/mul.php

NOTE: At the time of writing this description, McAfee AVERT did not see the downloading of any files as they may have been moved or deleted at the remote site.

Method of Infection

This downloader trojan is dropped by W32/Bagle.dv.dr that was mass spammed on February 15th, 2006.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.