English
Deutsch
Francais
Español
Italian
Home
Virus Info
TR/Bagle.DE.3.A
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TR/Bagle.DE.3.A - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/Bagle.DE.3.A
Date discovered:
22/09/2005
Type:
Trojan
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Low
Damage Potential:
Low to medium
Static file:
Yes
File size:
95.941 Bytes
MD5 checksum:
60FFE8354820CB7F8E02AA1C76A01FB0
VDF version:
6.32.0.34
General
Method of propagation:
• No own spreading routine
Aliases:
• Symantec: Trojan.Fantibag.A
• Kaspersky: Email-Worm.Win32.Bagle.dw
• TrendMicro: TROJ_FANTIBAG.A
• F-Secure: W32/Mitglieder.FU
• Bitdefender: Win32.Bagle.DL@mm
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Blocks access to security websites
• Drops a malicious file
• Registry modification
Files
It copies itself to the following location:
•
%WINDIR%
\firewall_anti.exe
The following file is created:
–
%WINDIR%
\firewall_anti.exe.dll Detected as: TR/Bagle.DE.3.B
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "firewall_anti"="
%WINDIR%
\firewall_anti.exe"
Injection
– It injects the following file into a process:
%WINDIR%
\firewall_anti.exe.dll
Process name:
• explorer.exe
If successful, the malware process terminates while the injected part remains active.
Purpose:
Access to the following websites is effectively blocked:
• ftpav.ca.com; www.pandasoftware.com; pandasoftware.com; clamav.net;
www.clamav.net; www.bitdefender.com; bitdefender.com;
ravantivirus.com; www.ravantivirus.com; drweb.ru; www.drweb.com;
drweb.com; antivir.de; www.antivir.de; 216.200.68.152; 212.113.20.69;
63.210.193.12; 84.53.142.22; 84.53.142.6; kaspersky.ru; grisoft.com;
www3.ca.com; www.viruslist.ru; www.viruslist.com; www.trendmicro.com;
www.symantec.com; www.sophos.com; www.networkassociates.com;
www.nai.com; www.my-etrust.com; www.mcafee.com; www.kaspersky.ru;
www.kaspersky.com; www.kaspersky-labs.com; www.grisoft.com;
www.fastclick.net; www.f-secure.com; www.awaps.net; www.avp.ru;
www.avp.com; www.avp.ch; windowsupdate.microsoft.com; viruslist.ru;
viruslist.com; vil.nai.com; us.mcafee.com;
updates5.kaspersky-labs.com; updates4.kaspersky-labs.com;
updates3.kaspersky-labs.com; updates2.kaspersky-labs.com;
updates1.kaspersky-labs.com; updates.symantec.com;
update.symantec.com; trendmicro.com; symantec.com;
support.microsoft.com; spd.atdmt.com; sophos.com;
service1.symantec.com; securityresponse.symantec.com; secure.nai.com;
rads.mcafee.com; phx.corporate-ir.net; office.microsoft.com;
networkassociates.com; nai.com; my-etrust.com; msdn.microsoft.com;
media.fastclick.net; mcafee.com; mast.mcafee.com;
liveupdate.symantecliveupdate.com; liveupdate.symantec.com;
kaspersky.com; kaspersky-labs.com; ids.kaspersky-labs.com;
go.microsoft.com; ftp.sophos.com; ftp.kasperskylab.ru;
ftp.f-secure.com; ftp.downloads2.kaspersky-labs.com; ftp.avp.ch;
fastclick.net; f-secure.com; engine.awaps.net;
downloads4.kaspersky-labs.com; downloads3.kaspersky-labs.com;
downloads2.kaspersky-labs.com; downloads1.kaspersky-labs.com;
downloads.microsoft.com; downloads-us3.kaspersky-labs.com;
downloads-us2.kaspersky-labs.com; downloads-us1.kaspersky-labs.com;
downloads-eu1.kaspersky-labs.com; download.microsoft.com;
download.mcafee.com; dispatch.mcafee.com; customer.symantec.com;
clicks.atdmt.com; click.atdmt.com; www.ca.com; ca.com;
banners.fastclick.net; banner.fastclick.net; awaps.net; avp.ru;
avp.com; avp.ch; atdmt.com; ar.atwola.com; ads.fastclick.net;
ad.fastclick.net; report.bitdefender.com; upgrade.bitdefender.com;
ad.doubleclick.net
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
See a brief description
here
.
Description inserted by Andrei Gherman on Thu, 22 Sep 2005 16:54 (GMT+1)
Description updated by Andrei Gherman on Mon, 26 Sep 2005 15:12 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Mytob.AT
Worm/Mytob.U
TR/Crypt.CFI.Gen
Worm/Netsky.J
Worm/Mytob.AD
HEUR/PDF.Obfuscated
SPR/mIRC.Gen
TR/Crypt.UPKM.Gen
JS/Dldr.Agent.cex
TR/Dldr.Tiny.bqw
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info TR/Bagle.DE.3.A
Print this page
.gif)
