English
Deutsch
Francais
Español
Italian
Home
Virus Info
TR/Bagle.DH
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TR/Bagle.DH - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/Bagle.DH
Date discovered:
21/09/2005
Type:
Trojan
In the wild:
Yes
Reported Infections:
Low
Distribution Potential:
Low
Damage Potential:
Low to medium
Static file:
Yes
File size:
30.878 Bytes
MD5 checksum:
a52e2715a253b1f53b9cffdd11d4e0d0
VDF version:
6.32.0.34
General
Method of propagation:
• No own spreading routine
Aliases:
• Symantec: W32.Beagle.CG@mm
• Kaspersky: Email-Worm.Win32.Bagle.dh
• Bitdefender: Win32.Bagle.DM@mm
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Downloads a file
• Uses its own Email engine
• Registry modification
Files
It copies itself to the following location:
•
%SYSDIR%
\windll2.exe
It tries to download some files:
– The locations are the following:
• http://localhost/sss.php
• http://localhost/script2.php
• http://localhost/script3.php
• http://**********.com/images/web.php
• http://amerikansk**********.dk/images/web.php
• http://**********.com/help/web.php
• http://**********.com/lyra/web.php
• http://**********.cl/images/web.php
• http://**********.com/images/web.php
• http://**********.nl/images/web.php
• http://**********.com/bovedas/web.php
It is saved on the local hard drive under:
%WINDIR%
\eml.exe At the time of writing this file was not online for further investigation.
Registry
The values of the following registry keys are removed:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n]
• "ICQ Net"
• "SkynetsRevenge"
• "KasperskyAVEng"
• "Norton Antivirus AV"
• "PandaAVEngine"
• "EasyAV"
• "SysMonXP"
• "MsInfo"
• "FirewallSvr"
• "Jammer2nd"
• "NetDy"
• "HtProtect"
• "ICQNet"
• "Tiny AV"
• "service"
• "Special Firewall Service"
• "Antivirus"
• "9XHtProtect"
• "Zone Labs Client Ex"
• "My AV"
– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n]
• "ICQ Net"
• "SkynetsRevenge"
• "KasperskyAVEng"
• "Norton Antivirus AV"
• "PandaAVEngine"
• "EasyAV"
• "SysMonXP"
• "MsInfo"
• "FirewallSvr"
• "Jammer2nd"
• "NetDy"
• "HtProtect"
• "ICQNet"
• "Tiny AV"
• "service"
• "Special Firewall Service"
• "Antivirus"
• "9XHtProtect"
• "Zone Labs Client Ex"
• "My AV"
The following registry key is added:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n]
• "
%SYSDIR%
\windll2.exe"
Email
It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
From:
The sender address is spoofed.
To:
– Gathered addresses from the internet.
Subject:
The subject line is empty.
Body:
The body of the email is one of the lines:
• price
• new price
Attachment:
The contents of the file is not a copy of itself but another malware. A description can be found here:
TR/Bagle.CW
The filename of the attachment is one of the following:
• 09_price.zip
• new__price.zip
• new_price.zip
• newprice.zip
• price.zip
• price_09.zip
• price_new.zip
• price2.zip
The email looks like the following:
Mailing
It does not send emails to addresses containing one of the following strings:
• @eerswqe; @derewrdgrs; @microsoft; rating@; f-secur; update; anyone@;
bugs@; contract@; feste; gold-certs@; help@; info@; nobody@; noone@;
admin; icrosoft; support; ntivi; linux; listserv; certific; sopho;
@iana; free-av; @messagelab; winzip; google; winrar; samples; abuse;
panda; cafee; @avp.; noreply; local; root@; postmaster@
MX Server:
It does not use the standard MX server.
It has the ability to contact the MX server:
• smtp.mail.ru
Resolving server names:
If the request using the standard DNS fails it continues with the following
It has the ability to contact the DNS server:
• 194.190.195.66
Backdoor
The following port is opened:
–
%executed file%
on TCP port 80 in order to provide a proxy server.
Miscellaneous
Mutex:
It creates the following Mutexes:
• vMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
• 'D'r'o'p'p'e'd'S'k'y'N'e't'
• _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
• [SkyNet.cz]SystemsMutex
• AdmSkynetJklS003
• ____--->>>>U<<<<--____
• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
File details
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
See a brief description
here
.
Description inserted by Razvan Olteanu on Thu, 22 Sep 2005 10:35 (GMT+1)
Description updated by Razvan Olteanu on Mon, 26 Sep 2005 12:46 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Mytob.AT
Worm/Mytob.U
TR/Crypt.CFI.Gen
Worm/Netsky.J
Worm/Mytob.AD
HEUR/PDF.Obfuscated
SPR/mIRC.Gen
TR/Crypt.UPKM.Gen
JS/Dldr.Agent.cex
TR/Dldr.Tiny.bqw
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info TR/Bagle.DH
Print this page
.gif)
