//start foreach
English
//start foreach
Deutsch
//start foreach
Français
//start foreach
Español
//start foreach
Italiano
//start foreach
Русский
//start foreach
日本語
//start foreach
Português
Home
Virus Info
TR/Bagle.GE
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TechBlog
TR/Bagle.GE - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/Bagle.GE
Date discovered:
23/11/2005
Type:
Trojan
In the wild:
Yes
Reported Infections:
Low to medium
Distribution Potential:
Low to medium
Damage Potential:
Low to medium
Static file:
Yes
File size:
40.572 Bytes
MD5 checksum:
5b607b1fb72f1b98ac2eea94e67107ab
IVDF version:
6.32.00.217
- Wed, 23 Nov 2005 17:27 (GMT+1)
General
Method of propagation:
• Email
Aliases:
• Mcafee: W32/Bagle.ff
• Sophos: W32/Bagle-QX
• Panda: Trj/Mitglieder.SG
• Eset: Win32/Bagle.HD
• Bitdefender: Win32.Bagle.KA@mm
Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Drops malicious files
• Uses its own Email engine
• Registry modification
Files
It copies itself to the following locations:
• %HOME%\Application Data\hidn\hidn2.exe
• %HOME%\Application Data\hidn\hldrrr.exe
It tries to download some files:
– The locations are the following:
• http://www.titanmotors.com/images/1/**********
• http://veranmaisala.com/1/**********
• http://wklight.nazwa.pl/1/**********
• http://yongsan24.co.kr/1/**********
• http://accesible.cl/1/**********
• http://hotelesalba.com/1/**********
• http://amdlady.com/1/**********
• http://inca.dnetsolution.net/1/**********
• http://www.auraura.com/1/**********
• http://avataresgratis.com/1/**********
• http://beyoglu.com.tr/1/**********
• http://brandshock.com/1/**********
• http://www.buydigital.co.kr/1/**********
• http://camaramafra.sc.gov.br/1/**********
• http://camposequipamentos.com.br/1/**********
• http://cbradio.sos.pl/1/**********
• http://c-d-c.com.au/1/**********
• http://www.klanpl.com/1/**********
• http://coparefrescos.stantonstreetgroup.com/1/**********
• http://creainspire.com/1/**********
• http://desenjoi.com.br/1/**********
• http://www.inprofile.gr/1/**********
• http://www.diem.cl/1/**********
• http://www.discotecapuzzle.com/1/**********
At the time of writing this file was not online for further investigation.
– The locations are the following:
• http://ceramax.co.kr/**********
• http://prime.gushi.org/**********
• http://www.chapisteriadaniel.com/**********
• http://charlesspaans.com/**********
• http://chatsk.wz.cz/**********
• http://www.chittychat.com/**********
• http://checkalertusa.com/**********
• http://cibernegocios.com.ar/**********
• http://5050clothing.com/**********
• http://cof666.shockonline.net/**********
• http://comaxtechnologies.net/**********
• http://concellodesandias.com/**********
• http://www.cort.ru/**********
• http://donchef.com/**********
• http://www.crfj.com/**********
• http://kremz.ru/**********
• http://dev.jintek.com/**********
• http://foxvcoin.com/**********
• http://uwua132.org/**********
• http://v-v-kopretiny.ic.cz/**********
• http://erich-kaestner-schule-donaueschingen.de/**********
• http://vanvakfi.com/**********
• http://axelero.hu/**********
• http://kisalfold.com/**********
• http://vega-sps.com/**********
• http://vidus.ru/**********
• http://viralstrategies.com/**********
• http://svatba.viskot.cz/**********
• http://Vivamodelhobby.com/**********
• http://vkinfotech.com/**********
• http://vytukas.com/**********
• http://waisenhaus-kenya.ch/**********
• http://watsrisuphan.org/**********
• http://www.ag.ohio-state.edu/**********
• http://wbecanada.com/**********
• http://calamarco.com/**********
• http://vproinc.com/**********
• http://grupdogus.de/**********
• http://knickimbit.de/**********
• http://dogoodesign.ch/**********
• http://systemforex.de/**********
• http://zebrachina.net/**********
• http://www.walsch.de/**********
• http://hotchillishop.de/**********
• http://innovation.ojom.net/**********
• http://massgroup.de/**********
• http://web-comp.hu/**********
• http://webfull.com/**********
• http://welvo.com/**********
• http://www.ag.ohio-state.edu/**********
• http://poliklinika-vajnorska.sk/**********
• http://wvpilots.org/**********
• http://www.kersten.de/**********
• http://www.kljbwadersloh.de/**********
• http://www.voov.de/**********
• http://www.wchat.cz/**********
• http://www.wg-aufbau-bautzen.de/**********
• http://www.wzhuate.com/**********
• http://zsnabreznaknm.sk/**********
• http://xotravel.ru/**********
• http://ilikesimple.com/**********
• http://yeniguntugla.com/**********
At the time of writing this file was not online for further investigation.
Registry
One of the following values is added in order to run the process after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "drv_st_key"="%HOME%\Application Data\hidn\hidn2.exe"
The following registry key is added:
– [HKCU\Software\FirstRun]
• "FirstRun"=dword:0x00000001
The following registry key is changed:
– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
New value:
• "Start"=dword:0x00000004
Email
It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
From:
The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.
To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
– The following email address:
• user532703@gmail.com
Subject:
One of the following:
• price
%current date%
• new_price
%current date%
• latest_price
%current date%
Body:
– Contains HTML code.
The body of the email is one of the lines:
• Message in attach.
• Msg attached.
• Message is zipped.
Attachment:
The filename of the attachment is:
• new_
%current date%
.zip
The attachment is a copy of the malware itself.
Mailing
Search addresses:
It searches the following files for email addresses:
• .wab; .txt; .msg; .htm; .shtm; .stm; .xml; .dbx; .mbx; .mdx; .eml;
.nch; .mmf; .ods; .cfg; .asp; .php; .pl; .wsh; .adb; .tbb; .sht; .xls;
.oft; .uin; .cgi; .mht; .dhtm; .jsp
Address generation for FROM field:
Here you can find examples of generated addresses:
• rating@; f-secur; news; update; anyone@; bugs@; contract@; feste;
gold-certs@; help@; info@; nobody@; noone@; kasp; admin; icrosoft;
support; ntivi; unix; bsd; linux; listserv; certific; sopho; @foo;
@iana; free-av; @messagelab; winzip; google; winrar; samples; abuse;
panda; cafee; spam; pgp; @avp.; noreply; local; root@; postmaster@
MX Server:
It does not use the standard MX server.
It has the ability to contact the MX server:
• smtp.mail.ru
File details
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
See a brief description
here
.
Description inserted by Petre Galan on Mon, 16 Nov 2009 15:41 (GMT+1)
Description updated by Petre Galan on Mon, 23 Nov 2009 14:04 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
HEUR/HTML.Malware
HTML/Infected.WebPage.Gen
HTML/Crypted.Gen
TR/Rootkit.Gen
W32/Sality.Y
PCK/NSIS.M
PCK/Dumped
PCK/Repacked
PCK/MEW
PCK/UPACK
Get comfortable up to the minute info from Avira as
Detects and removes distinct malware and its variants.
Download here
Click
here
to get the panel...
© 2010 Avira GmbH
Copyright
|
Privacy
|
Sitemap
|
Feedback
|
Imprint
|
FAQ
|
Contact
Virus Info TR/Bagle.GE
Print this page
.gif)
