Full description

Virus:	TR/Drop.Bagle.FU.1
Date discovered:	27/02/2006
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	Yes
File size:	12.288 Bytes
MD5 checksum:	027d49e1719f2fa51afca3d794d7d7f4
VDF version:	6.33.1.30

General Method of propagation:
   • No own spreading routine

Aliases:
   • Symantec: W32.Beagle.DV
   • Kaspersky: Trojan-Downloader.Win32.Bagle.ae
   • Bitdefender: Trojan.Glieder.DF

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads files
   • Drops a malicious file
   • Registry modification

Files The following file is created:

– %SYSDIR%\ldr64.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Bagle.FU.DLL

It tries to download some files:

– The locations are the following:
   • www.befag.ru/**********
   • www.bennylife.com/**********
   • www.bidsforbaby.com/**********
   • www.biotenk.com/**********
   • www.calidad.biz/**********
   • www.nmtltd.com/**********
   • www.boldrussell.com/**********
   • www.bulkemailservicenow.com/**********
   • www.cansultdubai.ae/**********
   • www.chilotitomarino.cl/**********
   • www.casino-malibu.ru/**********
   • www.khonkaenpoc.com/**********
   • ala-bg.net/**********
   • eleceltek.com/**********
   • alfaclassic.sk/**********
   • www.americarising.com/**********
   • amerykaameryka.com/**********
   • analisisyconsultoria.com/**********
   • www.bbrealservis.sk/**********
   • www.benininfo.com/**********
   • www.bestcheapdomainregistration.info/**********
   • www.binhaigolf.com/**********
   • www.bitsolution.ro/**********
   • www.vnettools.com/**********
   • www.bronko-m.ru/**********
   • www.bulkemaildirectmarketing.com/**********
   • www.cansew.ca/**********
   • www.casaquecanta.com/**********
   • www.chinaculturedpearl.com/**********
   • www.colin18.com/**********
   • www.connectesl.com/**********
   • allinfo.com.au/**********
   • alevibirligi.ch/**********
   • allanconi.it/**********
   • americasenergyco.com/**********
   • amistra.com/**********
   • calamarco.com/**********
It is saved on the local hard drive under: %SYSDIR%\edlm.exe At the time of writing this file was not online for further investigation.

– The locations are the following:
   • www.bbrealservis.sk/**********
   • www.benininfo.com/**********
   • www.bestcheapdomainregistration.info/**********
   • www.binhaigolf.com/**********
   • www.bitsolution.ro/**********
   • www.vnettools.com/**********
   • www.bronko-m.ru/**********
   • www.bulkemaildirectmarketing.com/**********
   • www.cansew.ca/**********
   • www.casaquecanta.com/**********
   • www.chinaculturedpearl.com/**********
   • www.colin18.com/**********
   • www.connectesl.com/**********
   • allinfo.com.au/**********
   • alevibirligi.ch/**********
   • allanconi.it/**********
   • americasenergyco.com/**********
   • amistra.com/**********
   • calamarco.com/**********
   • www.befag.ru/**********
   • www.bennylife.com/**********
   • www.bidsforbaby.com/**********
   • www.biotenk.com/**********
   • www.nmtltd.com/**********
   • www.boldrussell.com/**********
   • www.bulkemailservicenow.com/**********
   • www.calidad.biz/**********
   • www.cansultdubai.ae/**********
   • www.chilotitomarino.cl/**********
   • www.casino-malibu.ru/**********
   • www.khonkaenpoc.com/**********
   • ala-bg.net/**********
   • eleceltek.com/**********
   • alfaclassic.sk/**********
   • www.americarising.com/**********
   • amerykaameryka.com/**********
   • analisisyconsultoria.com/**********
It is saved on the local hard drive under: %SYSDIR%\edlm.exe At the time of writing this file was not online for further investigation.

Registry The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   ldr64]
   • LdCount = dword:00000000
   • prevt = dword:00000000
   • Impersonate = dword:00000000
   • Asynchronous = dword:00000001
   • DllName = ldr64.dll
   • Startup = Startup

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Tuesday, February 28, 2006
Description updated by Andrei Gherman on Tuesday, February 28, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools