Home / malware Trojan:W32/Bagle.GF
First posted on 12 July 2010.
Source: SecurityHomeAliases :
There are no other names known for Trojan:W32/Bagle.GF.
Explanation :
A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.
Additional DetailsTrojan:W32/Bagle.GF sets up a proxy service on the infected machine. Through the proxy, Bagle authors can send spam or access other network resources.
This Bagle related malware was found on the 23rd of March 2006.
Installation
When the trojan file is run, it copies itself as:
€ %System%\wintems.exe
%System% represents the Windows System folder.
The trojan installs the following registry launchpoint as a string value:
€ [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"german.exe" = "%System%\wintems.exe"
The trojan uses a named mutex "555" for ensuring that only one copy of the trojan is run at the same time.
Payload
The main payload of the trojan is a proxy service listening on a fixed port. The port, along with other information about the infected system is periodically sent to the following list of web servers:
€ http:// 8marta.ru/img/path/[removed] € http:// asvt.ru/images/[removed] € http:// avistrade.ru/prog/img/proizvod/[removed] € http:// calimasurf.com/images/base/orig/[removed] € http:// celebrationsinspain.com/images/[removed] € http:// coral-adventures.com/images/[removed] € http:// dearruthie.com/images/[removed] € http:// dmax.ru/images/[removed] € http:// efpa-eg.net/images/[removed] € http:// ferrumcomp.ru/images/[removed] € http:// financialbusiness.ca/images/[removed] € http:// golden-ring.net/images/[removed] € http:// goodbathscents.com/images/[removed] € http:// jamminjo.com/images/[removed] € http:// kmold.biz/images/[removed] € http:// kokon.com/images/[removed] € http:// komt.ru/images/[removed] € http:// magian.ru/images/[removed] € http:// merkur-akademie.de/images/[removed] € http:// mir-vesov.ru/p/lang/CVS/[removed] € http:// monomah-city.ru/vakans/[removed] € http:// nakorable.ru/htdocs/img/[removed] € http:// optimsasia.com/images/[removed] € http:// pvcps.ru/images/[removed] € http:// raz-naraz.wz.cz/html/fanklub/[removed] € http:// redshop.ru/images/[removed] € http:// roszvetmet.com/images/[removed] € http:// schiffsparty.de/bilder/uploads/[removed] € http:// sdom.ru/images/[removed] € http:// service6.valuehost.ru/images/[removed] € http:// spbso.ru/images/[removed] € http:// stroyindustry.ru/service/construction/[removed] € http:// vladzernoproduct.ru/control/sell/t/[removed] € http:// www.13tw22rigobert.de/_themes/kopie-von-fantasie-in-blau/[removed] € http:// www.deadlygames.de/DG/BF/BF-Links/clans/[removed] € http:// www.emil-zittau.de/karten/[removed] € http:// www.etype.hostingcity.net/mysql_admin_new/images/[removed] € http:// www.levada.ru/htmlarea/images/[removed] € http:// www.mirage.ru/sport/omega/pic/omega/[removed] € http:// www.ordendeslichts.de/intern/[removed]
The proxy has a simple access control mechanism which prevents a certain list of addresses from using the proxy. The trojan obtains this list from another set of web servers:
€ http:// avistrade.ru/prog/img/proizvod/[removed] € http:// mir-vesov.ru/p/lang/CVS/[removed] € http:// monomah-city.ru/vakans/[removed] € http:// pvcps.ru/images/[removed] € http:// service6.valuehost.ru/images/[removed] € http:// trehrechie.ru/images/[removed] € http:// turnstylesticketing.com/images/[removed] € http:// twilightzone.cz/distro/[removed] € http:// vniipo.ru/images/_notes/[removed] € http:// voelckergmbh.de/images/[removed] € http:// vserozetki.ru/images/[removed] € http:// vtr-spb.ru/fp/mikrobus/gazel/[removed] € http:// www.13tw22rigobert.de/_themes/kopie-von-fantasie-in-blau/[removed] € http:// www.belteh.ru/images/ludi/[removed] € http:// www.bmblawfirm.com/images/[removed] € http:// www.enertelligence.com/playitsafe/images/[removed] € http:// www.enkor.ru/images/[removed] € http:// www.g-antssoft.com/images/icon/jpg/blog/[removed]
Detection
F-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version]
Version = 2006-03-23_04Last update 12 July 2010
