Nume:TR/Drop.Bagle.FU.1
Descoperit pe data de:27/02/2006
Tip:Troian
ITW:Da
Numar infectii raportate:Scazut
Potential de raspandire:Scazut
Potential de distrugere:Scazut spre mediu
Fisier static:Da
Marime:12.288 Bytes
MD5:027d49e1719f2fa51afca3d794d7d7f4
Versiune VDF:6.33.1.30

 General Metoda de raspandire:
   • Nu are rutina proprie de raspandire


Alias:
   •  Symantec: W32.Beagle.DV
   •  Kaspersky: Trojan-Downloader.Win32.Bagle.ae
   •  Bitdefender: Trojan.Glieder.DF


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Descarca fisiere
   • Creeaza un fisier malware
   • Modificari in registri

 Fisiere Este creat fisierul:

– %SYSDIR%\ldr64.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Drop.Bagle.FU.DLL




Incearca sa descarce cateva fisiere:

– Adresele sunt urmatoarele:
   • www.befag.ru/**********
   • www.bennylife.com/**********
   • www.bidsforbaby.com/**********
   • www.biotenk.com/**********
   • www.calidad.biz/**********
   • www.nmtltd.com/**********
   • www.boldrussell.com/**********
   • www.bulkemailservicenow.com/**********
   • www.cansultdubai.ae/**********
   • www.chilotitomarino.cl/**********
   • www.casino-malibu.ru/**********
   • www.khonkaenpoc.com/**********
   • ala-bg.net/**********
   • eleceltek.com/**********
   • alfaclassic.sk/**********
   • www.americarising.com/**********
   • amerykaameryka.com/**********
   • analisisyconsultoria.com/**********
   • www.bbrealservis.sk/**********
   • www.benininfo.com/**********
   • www.bestcheapdomainregistration.info/**********
   • www.binhaigolf.com/**********
   • www.bitsolution.ro/**********
   • www.vnettools.com/**********
   • www.bronko-m.ru/**********
   • www.bulkemaildirectmarketing.com/**********
   • www.cansew.ca/**********
   • www.casaquecanta.com/**********
   • www.chinaculturedpearl.com/**********
   • www.colin18.com/**********
   • www.connectesl.com/**********
   • allinfo.com.au/**********
   • alevibirligi.ch/**********
   • allanconi.it/**********
   • americasenergyco.com/**********
   • amistra.com/**********
   • calamarco.com/**********
Fisierul este stocat pe hard disc la: %SYSDIR%\edlm.exe La momentul realizarii descrierii, acest fisier nu era disponibil pentru o analiza ulterioara.

– Adresele sunt urmatoarele:
   • www.bbrealservis.sk/**********
   • www.benininfo.com/**********
   • www.bestcheapdomainregistration.info/**********
   • www.binhaigolf.com/**********
   • www.bitsolution.ro/**********
   • www.vnettools.com/**********
   • www.bronko-m.ru/**********
   • www.bulkemaildirectmarketing.com/**********
   • www.cansew.ca/**********
   • www.casaquecanta.com/**********
   • www.chinaculturedpearl.com/**********
   • www.colin18.com/**********
   • www.connectesl.com/**********
   • allinfo.com.au/**********
   • alevibirligi.ch/**********
   • allanconi.it/**********
   • americasenergyco.com/**********
   • amistra.com/**********
   • calamarco.com/**********
   • www.befag.ru/**********
   • www.bennylife.com/**********
   • www.bidsforbaby.com/**********
   • www.biotenk.com/**********
   • www.nmtltd.com/**********
   • www.boldrussell.com/**********
   • www.bulkemailservicenow.com/**********
   • www.calidad.biz/**********
   • www.cansultdubai.ae/**********
   • www.chilotitomarino.cl/**********
   • www.casino-malibu.ru/**********
   • www.khonkaenpoc.com/**********
   • ala-bg.net/**********
   • eleceltek.com/**********
   • alfaclassic.sk/**********
   • www.americarising.com/**********
   • amerykaameryka.com/**********
   • analisisyconsultoria.com/**********
Fisierul este stocat pe hard disc la: %SYSDIR%\edlm.exe La momentul realizarii descrierii, acest fisier nu era disponibil pentru o analiza ulterioara.

 Registrii sistemului Se adauga in registrii sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   ldr64]
   • LdCount = dword:00000000
   • prevt = dword:00000000
   • Impersonate = dword:00000000
   • Asynchronous = dword:00000001
   • DllName = ldr64.dll
   • Startup = Startup

 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Descripción insertada por Andrei Gherman el martes 28 de febrero de 2006
Descripción actualizada por Andrei Gherman el martes 28 de febrero de 2006

Volver . . . .