Virus:TR/Dldr.Bagle.FJ
Date discovered:04/02/2006
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:5.632 Bytes
MD5 checksum:220D6a98d0f06846a01ce50Dddd9a27d
VDF version:6.33.00.195

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: W32.Beagle.DN@mm
   •  Mcafee: W32/Bagle.dq
   •  TrendMicro: TROJ_DLOADER.BOI
   •  Bitdefender: Trojan.Downloader.Small.IJ

It was previously detected as:
   •  Worm/Bagle.FJ.2


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Registry modification

 Files It tries to download a file:

– The locations are the following:
   • http://dook.**********
   • http://debut.**********
   • http://myphoto**********
   • http://ijj.t**********
   • http://209.16.85.230/**********
It is saved on the local hard drive under: %TEMPDIR%\win%random character string%.tmp Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

 Registry It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • %malware execution directory%\%executed
      file%=%malware execution directory%\%executed
      file%:*:Enabled:ipsec

 Miscellaneous Mutex:
It creates the following Mutex:
   • bagla_super_downloader_1000

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Andrei Gherman on Monday, February 13, 2006
Description updated by Andrei Gherman on Monday, February 20, 2006

Back . . . .