Nume:TR/Drop.Bagle.FU.1
Descoperit pe data de:27/02/2006
Tip:Troian
ITW:Da
Numar infectii raportate:Scazut
Potential de raspandire:Scazut
Potential de distrugere:Scazut spre mediu
Fisier static:Da
Marime:12.288 Bytes
MD5:027d49e1719f2fa51afca3d794d7d7f4
Versiune VDF:6.33.1.30

 General Metoda de raspandire:
   • Nu are rutina proprie de raspandire


Alias:
   •  Symantec: W32.Beagle.DV
   •  Kaspersky: Trojan-Downloader.Win32.Bagle.ae
   •  Bitdefender: Trojan.Glieder.DF


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Descarca fisiere
   • Creeaza un fisier malware
   • Modificari in registri

 Fisiere Este creat fisierul:

– %SYSDIR%\ldr64.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Drop.Bagle.FU.DLL




Incearca sa descarce cateva fisiere:

– Adresele sunt urmatoarele:
   • www.befag.ru/**********
   • www.bennylife.com/**********
   • www.bidsforbaby.com/**********
   • www.biotenk.com/**********
   • www.calidad.biz/**********
   • www.nmtltd.com/**********
   • www.boldrussell.com/**********
   • www.bulkemailservicenow.com/**********
   • www.cansultdubai.ae/**********
   • www.chilotitomarino.cl/**********
   • www.casino-malibu.ru/**********
   • www.khonkaenpoc.com/**********
   • ala-bg.net/**********
   • eleceltek.com/**********
   • alfaclassic.sk/**********
   • www.americarising.com/**********
   • amerykaameryka.com/**********
   • analisisyconsultoria.com/**********
   • www.bbrealservis.sk/**********
   • www.benininfo.com/**********
   • www.bestcheapdomainregistration.info/**********
   • www.binhaigolf.com/**********
   • www.bitsolution.ro/**********
   • www.vnettools.com/**********
   • www.bronko-m.ru/**********
   • www.bulkemaildirectmarketing.com/**********
   • www.cansew.ca/**********
   • www.casaquecanta.com/**********
   • www.chinaculturedpearl.com/**********
   • www.colin18.com/**********
   • www.connectesl.com/**********
   • allinfo.com.au/**********
   • alevibirligi.ch/**********
   • allanconi.it/**********
   • americasenergyco.com/**********
   • amistra.com/**********
   • calamarco.com/**********
Fisierul este stocat pe hard disc la: %SYSDIR%\edlm.exe La momentul realizarii descrierii, acest fisier nu era disponibil pentru o analiza ulterioara.

– Adresele sunt urmatoarele:
   • www.bbrealservis.sk/**********
   • www.benininfo.com/**********
   • www.bestcheapdomainregistration.info/**********
   • www.binhaigolf.com/**********
   • www.bitsolution.ro/**********
   • www.vnettools.com/**********
   • www.bronko-m.ru/**********
   • www.bulkemaildirectmarketing.com/**********
   • www.cansew.ca/**********
   • www.casaquecanta.com/**********
   • www.chinaculturedpearl.com/**********
   • www.colin18.com/**********
   • www.connectesl.com/**********
   • allinfo.com.au/**********
   • alevibirligi.ch/**********
   • allanconi.it/**********
   • americasenergyco.com/**********
   • amistra.com/**********
   • calamarco.com/**********
   • www.befag.ru/**********
   • www.bennylife.com/**********
   • www.bidsforbaby.com/**********
   • www.biotenk.com/**********
   • www.nmtltd.com/**********
   • www.boldrussell.com/**********
   • www.bulkemailservicenow.com/**********
   • www.calidad.biz/**********
   • www.cansultdubai.ae/**********
   • www.chilotitomarino.cl/**********
   • www.casino-malibu.ru/**********
   • www.khonkaenpoc.com/**********
   • ala-bg.net/**********
   • eleceltek.com/**********
   • alfaclassic.sk/**********
   • www.americarising.com/**********
   • amerykaameryka.com/**********
   • analisisyconsultoria.com/**********
Fisierul este stocat pe hard disc la: %SYSDIR%\edlm.exe La momentul realizarii descrierii, acest fisier nu era disponibil pentru o analiza ulterioara.

 Registrii sistemului Se adauga in registrii sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   ldr64]
   • LdCount = dword:00000000
   • prevt = dword:00000000
   • Impersonate = dword:00000000
   • Asynchronous = dword:00000001
   • DllName = ldr64.dll
   • Startup = Startup

 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description insérée par Andrei Gherman le mardi 28 février 2006
Description mise à jour par Andrei Gherman le mardi 28 février 2006

Retour . . . .