Virus

W32/Bagle.AU !tr

Analysis

This is a minor variant of W32/Bagle.AT; the main difference is in the downloader file name. It changed from "foto.exe" to "calc.exe". This executable attempts to download the virus W32/Bagle.AU-mm from one of 123 websites. It may first arrive as an attachment to email in this format -
Subject: foto
Body:
foto
Attachments: foto.zip
The subject, body text and attachment name are variable. The .ZIP will usually contain these two files -
foto.html
1\calc.exe
The .HTML file contains instructions to load "1\calc.exe" using a Codebase exploit. If a user were to extract the .ZIP on a default Windows system, it may not be apparent that the second folder "foto" exists because it and the file "calc.exe" have hidden attributes. By default, Windows does not to display files or folders with hidden attributes.
If the EXE file executes, it will write two files to the local system -
C:\WINNT\system32\doriot.exe (12,800 bytes, hidden attributes)
C:\WINNT\system32\gdqfw.exe (9,728 bytes)
The registry is modified to load "doriot.exe" at next Windows startup -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
wpds.exe = C:\Winnt\System32\doriot.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
wpds.exe = C:\Winnt\System32\doriot.exe
When "doriot.exe" runs, it locates the process "Shell_TrayWnd" (Windows shell Explorer process). Next it injects its code into the process space and then attempt to connect to one of several HTTP websites to retrieve a copy of W32/Bagle.AU-mm.
Process Termination
The virus will attempt to stop any service that matches any of these names -
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
UPGRADER.EXE
Most of these are related to security or Antivirus software.
W32/Bagle.AU-mm Download Routine
This virus will attempt to connect with any of these web addresses and retrieve a binary file stored there as "6.jpg"-
1800thewoman.com
1944.pl
45partsdepot.com
7pe.friko.pl
air-computers.com.ar
allianzsp.sk
ametist.spb.ru
apodis.pl
arrasy.pl
arthurspeaks.com
astermed.pl
atomique.pl
atw.hu
avatar.ee
avers.com.pl
baltexpo.spb.ru
bomart.cz
bravo.gliwice.pl
bronnerbros.com
buycare.com
coolweb.psg.sk
cryofthespirit.com
cumparacd.go.ro
da-rom.co.il
dollypop.com
domu.net
eastandard.co.ke
elblu.republika.pl
elcorsy.com
elite-style.com
enduser1.fast.net
enitex.by
enitex-m.by
eris.pl
europharm.pl
execpage.com
extreme-racing.lg.ua
fotel.pl
fotolab.sk
frater.hu
gardameditech.com
generex.de
goldgates.com
goodboy.dem.ru
hards.pl
healthcometh.com
helpdemos.com
helpingyouth.org
holz-studio.at
ibplus.sk
icpnet.pl
inlan.sk
jamesbronner.com
jbplus.cz
justmatchit.com
koti.pl
kubtelecom.ru
kuda.com.ua
lacittadifiorenzuola.it
lotusdog.net
ltvo.spb.ru
master.pl
members.aon.at
miracle.v6.cz
moteplassen1.com
mountainwings.com
mountainwings2.com
mountainwings4.com
multifoto.sk
nadodrze.pl
nairobiwebspace.com
nameitright.com
nardo.bbe.pl
naturalpros.com
netland.gda.pl
netta.pl
nikola.piwko.pl
ntrlab.com
nustep.sk
octava.pl
odevnictvo.sk
oftza.friko.pl
oktbroiler.ru
online40.com
online50.com
oracal.pl
oto.lv
pancoopzsv.co.yu
pay5495.com
pc-hard.com.ua
perfect-beauty.at
pharmag.pl
polsl.katowice.pl
prophetcollins.com
propi.cz
pursuit.rv.ua
pyrlandia-boogie.pl
quatro.sk
r-bazar.ru
roszkowski.pl
shock.evernet.com.pl
silvic.ro
sincron.go.ro
skylive.pl
smgkrc.pl
soulring.com
SportLine.go.ro
star-max.it
stroipolymer.ru
sunbud.com.pl
swez.net
system5electronics.com
tcvwebtv.com.ar
theonlineword.com
thewoman.com
tivis.cz
ukpl.pl
vacation-network.net
virtualchurch.com
visionforsouls.org
wingsoverlife.com
wyspian.iap.pl
zasada-rowery.pl
The file is stored to appear as if it were a .JPG file however it is an executable copy of W32/Bagle.AU-mm.

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option