Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Bagle "AI" Trojan/Downloader - MEDIUM RISK


  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:11:45 AM

Posted 01 September 2004 - 05:36 AM

Every AV vendor has a unique name for this new version of Bagle that was mass mailed extensively overnight. Secunia uses "AI" and they have issued a MEDIUM RISK alert for this virus at 2004-09-01 02:40. McAfee calls this new variant Bagle.dll.dr and Symantec has named it Beagle.AQ.

New Bagle "AI" Trojan/Downloader - MEDIUM RISK (Secunia)
http://secunia.com/virus_information/11645/
http://vil.nai.com/vil/content/v_127119.htm
http://www.trendmicro.com/vinfo/virusencyc...e=WORM_BAGLE.AI
http://www.f-secure.com/v-descs/bagle_ak.shtml
http://www.symantec.com/avcenter/venc/data...agle.aq@mm.html
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=40053
http://www.sophos.com/virusinfo/analyses/trojbagledla.html

This new variant is a trojan that downloads and executes arbitrary files from a long hardcoded list of 131 URLs. In the wild, we have seen other variants of this trojan download Win32.Bagle variants and other files. It has been distributed as a 12,800-byte Win32 executable. This variant has been mass-mailed on a large scale by what appears to be Win32.Bagle.AI.

The origin was an e-mail message that was spammed to numerous people. The e-mail contains an archive named FOTO.ZIP. Inside there's an HTML file and an EXE file named FOTO.EXE. This EXE file is a dropper. It drops and activates a DLL component that kills processes belonging to updating components of several anti-virus programs and then tries to connect to several websites and download a file from them. The URLs are hardcoded in the program's body.

EMAIL MESSAGE FORMAT

Subject: foto
Body: foto
Attachment: foto.zip or foto1.zip ( containing foto.html and foto1.exe)



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users