Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


New Bagle "AI" Trojan/Downloader - MEDIUM RISK

  • Please log in to reply
No replies to this topic

#1 harrywaldron


    Security Reporter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:09:47 PM

Posted 01 September 2004 - 05:36 AM

Every AV vendor has a unique name for this new version of Bagle that was mass mailed extensively overnight. Secunia uses "AI" and they have issued a MEDIUM RISK alert for this virus at 2004-09-01 02:40. McAfee calls this new variant Bagle.dll.dr and Symantec has named it Beagle.AQ.

New Bagle "AI" Trojan/Downloader - MEDIUM RISK (Secunia)

This new variant is a trojan that downloads and executes arbitrary files from a long hardcoded list of 131 URLs. In the wild, we have seen other variants of this trojan download Win32.Bagle variants and other files. It has been distributed as a 12,800-byte Win32 executable. This variant has been mass-mailed on a large scale by what appears to be Win32.Bagle.AI.

The origin was an e-mail message that was spammed to numerous people. The e-mail contains an archive named FOTO.ZIP. Inside there's an HTML file and an EXE file named FOTO.EXE. This EXE file is a dropper. It drops and activates a DLL component that kills processes belonging to updating components of several anti-virus programs and then tries to connect to several websites and download a file from them. The URLs are hardcoded in the program's body.


Subject: foto
Body: foto
Attachment: foto.zip or foto1.zip ( containing foto.html and foto1.exe)

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users