TR/Bagle.BR.A.Dll - Trojan

Vedi anche

In breve

Descrizione completa

Statistiche

Nome del virus:	TR/Bagle.BR.A.Dll
Scoperto:	15/09/2005
Tipo:	Trojan
In circolazione (ITW):	No
Numero delle infezioni segnalate:	Basso
Potenziale di propagazione:	Basso
Potenziale di danni:	Medio-Basso
File statico:	Si
Dimensione del file:	102,916 bytes Byte
Somma di controllo MD5:	ab3803a26d79bfe38a3f3af779d5e1bb
Versione VDF:	6.30.0.218

Generale Metodo di propagazione:
   • Nessuna propria procedura di propagazione

Alias:
   • Mcafee: W32/Bagle.dldr.gen
   • Sophos: Troj/Netdeny-A
   • Eset: Win32/Bagle.BI

Piattaforme / Sistemi operativi:
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP

Effetti secondari:
   • Blocca l'accesso a siti web di sicurezza
   • Modifica del registro

File Si copia alla seguente posizione:
• %WINDIR%\firewall_anti.exe

Viene creato il seguente file:

– %WINDIR%\firewall_anti.exe.dll Ulteriori analisi hanno accertato che questo file è anch'esso un malware. Riconosciuto come: TR/Bagle.BR.A.Dll

Registro Viene aggiunta nel registro la seguente chiave con lo scopo di eseguire il processo dopo il riavvio:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "firewall_anti"="%WINDIR%\firewall_anti.exe"

Le seguenti chiavi di registro vengono aggiunte per caricare il servizio dopo il riavvio:

– HKLM\SYSTEM\CurrentControlSet\Services\IpFilterDriver\Enum
   • "0"="Root\\LEGACY_IPFILTERDRIVER\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

Vengono aggiunte le seguenti chiavi di registro:

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER
   • "NextInstance"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
   • "Service"="IpFilterDriver"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="IP Traffic Filter Driver"

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000\
   Control
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="IpFilterDriver"

Host – L'accesso ai seguenti domini è effettivamente bloccato:
   • 212.113.20.69; 216.200.68.152; 63.210.193.12; 84.53.142.22;
      84.53.142.6; ad.doubleclick.net; ad.fastclick.net; ads.fastclick.net;
      antivir.de; ar.atwola.com; atdmt.com; avp.ch; avp.com; avp.ru;
      awaps.net; banner.fastclick.net; banners.fastclick.net;
      bitdefender.com; ca.com; clamav.net; click.atdmt.com;
      clicks.atdmt.com; customer.symantec.com; dispatch.mcafee.com;
      download.mcafee.com; download.microsoft.com; downloads.microsoft.com;
      downloads1.kaspersky-labs.com; downloads2.kaspersky-labs.com;
      downloads3.kaspersky-labs.com; downloads4.kaspersky-labs.com;
      downloads-eu1.kaspersky-labs.com; downloads-us1.kaspersky-labs.com;
      downloads-us2.kaspersky-labs.com; downloads-us3.kaspersky-labs.com;
      drweb.com; drweb.ru; engine.awaps.net; fastclick.net; f-secure.com;
      ftp.avp.ch; ftp.downloads2.kaspersky-labs.com; ftp.f-secure.com;
      ftp.kasperskylab.ru; ftp.sophos.com; ftpav.ca.com; go.microsoft.com;
      grisoft.com; ids.kaspersky-labs.com; kaspersky.com; kaspersky.ru;
      kaspersky-labs.com; liveupdate.symantec.com;
      liveupdate.symantecliveupdate.com; mast.mcafee.com; mcafee.com;
      media.fastclick.net; msdn.microsoft.com; my-etrust.com; nai.com;
      networkassociates.com; office.microsoft.com; pandasoftware.com;
      phx.corporate-ir.net; rads.mcafee.com; ravantivirus.com;
      secure.nai.com; securityresponse.symantec.com; service1.symantec.com;
      sophos.com; spd.atdmt.com; support.microsoft.com; symantec.com;
      trendmicro.com; update.symantec.com; updates.symantec.com;
      updates1.kaspersky-labs.com; updates2.kaspersky-labs.com;
      updates3.kaspersky-labs.com; updates4.kaspersky-labs.com;
      updates5.kaspersky-labs.com; us.mcafee.com; vil.nai.com;
      viruslist.com; viruslist.ru; windowsupdate.microsoft.com;
      www.antivir.de; www.avp.ch; www.avp.com; www.avp.ru; www.awaps.net;
      www.bitdefender.com; www.ca.com; www.clamav.net; www.drweb.com;
      www.fastclick.net; www.f-secure.com; www.grisoft.com;
      www.kaspersky.com; www.kaspersky.ru; www.kaspersky-labs.com;
      www.mcafee.com; www.my-etrust.com; www.nai.com;
      www.networkassociates.com; www.pandasoftware.com;
      www.ravantivirus.com; www.sophos.com; www.symantec.com;
      www.trendmicro.com; www.viruslist.com; www.viruslist.ru; www3.ca.com

Come il virus si inserisce nei processi – Inserisce il seguente file in un processo: %WINDIR%\firewall_anti.exe.dll

Nome del processo:
• %WINDIR%\Explorer.exe

Per la descrizione "in breve" clicca qui.

Descrizione inserita da Irina Boldea il Wed, 14 Sep 2005 17:04 (GMT+1)
Descrizione aggiornata da Irina Boldea il Fri, 16 Sep 2005 11:14 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« Indietro