Virus:TR/Dldr.Bagle.FU.3
Date discovered:30/03/2006
Type:Trojan
Subtype:Downloader
In the wild:No
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Medium
Static file:No
File size:~264.000 Bytes
VDF version:6.34.00.118

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Trojan.Tooso
   •  Mcafee: W32/Bagle.ew
   •  Kaspersky: Trojan-Dropper.Win32.Agent.alt
   •  TrendMicro: TROJ_BAGLE.CO
   •  Bitdefender: Trojan.Downloader.Bagle.AH
   •  TR/Dldr.Bagle.FU


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Drops a malicious file
   • Registry modification


Right after execution the following information is displayed:



 Files The following file is created:

%SYSDIR%\ldr64.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Bagle.FU.DL2




It tries to download some files:

– The locations are the following:
   • http://www.befag.ru/**********
   • http://www.bennylife.com/**********
   • http://www.bidsforbaby.com/**********
   • http://www.nmtltd.com/**********
   • http://www.boldrussell.com/**********
   • http://www.bulkemailservicenow.com/**********
   • http://www.calidad.biz/**********
   • http://www.cansultdubai.ae/**********
   • http://www.chilotitomarino.cl/**********
   • http://www.casino-malibu.ru/**********
   • http://www.khonkaenpoc.com/**********
   • http://ala-bg.net/**********
   • http://eleceltek.com/**********
   • http://alfaclassic.sk/**********
   • http://www.bbrealservis.sk/**********
   • http://www.benininfo.com/**********
   • http://www.bestcheapdomainregistration.info/**********
   • http://www.binhaigolf.com/**********
   • http://www.bitsolution.ro/**********
   • http://www.vnettools.com/**********
   • http://www.bronko-m.ru/**********
   • http://www.bulkemaildirectmarketing.com/**********
   • http://www.cansew.ca/**********
   • http://www.casaquecanta.com/**********
   • http://www.chinaculturedpearl.com/**********
   • http://www.colin18.com/**********
   • http://www.connectesl.com/**********
   • http://allinfo.com.au/**********
   • http://alevibirligi.ch/**********
   • http://allanconi.it/**********
It is saved on the local hard drive under: %SYSDIR%\edlm.exe At the time of writing this file was not online for further investigation.

– The locations are the following:
   • http://www.bbrealservis.sk/**********
   • http://www.benininfo.com/**********
   • http://www.bestcheapdomainregistration.info/**********
   • http://www.binhaigolf.com/**********
   • http://www.bitsolution.ro/**********
   • http://www.vnettools.com/**********
   • http://www.bronko-m.ru/**********
   • http://www.bulkemaildirectmarketing.com/**********
   • http://www.cansew.ca/**********
   • http://www.casaquecanta.com/**********
   • http://www.chinaculturedpearl.com/**********
   • http://www.colin18.com/**********
   • http://www.connectesl.com/**********
   • http://allinfo.com.au/**********
   • http://alevibirligi.ch/**********
   • http://allanconi.it/**********
   • http://www.befag.ru/**********
   • http://www.bennylife.com/**********
   • http://www.bidsforbaby.com/**********
   • http://www.nmtltd.com/**********
   • http://www.boldrussell.com/**********
   • http://www.bulkemailservicenow.com/**********
   • http://www.calidad.biz/**********
   • http://www.cansultdubai.ae/**********
   • http://www.chilotitomarino.cl/**********
   • http://www.casino-malibu.ru/**********
   • http://www.khonkaenpoc.com/**********
   • http://ala-bg.net/**********
   • http://eleceltek.com/**********
   • http://alfaclassic.sk/**********
It is saved on the local hard drive under: %SYSDIR%\edlm2.exe At the time of writing this file was not online for further investigation.

 Registry The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   ldr64]
   • Asynchronous = dword:00000001
   • DllName = ldr64.dll
   • Impersonate = dword:00000000
   • LdCount = dword:00000000
   • prevt = dword:00000000
   • Startup = Startup

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Thursday, March 30, 2006
Description updated by Andrei Gherman on Wednesday, April 5, 2006

Back . . . .