This application requires Javascript for optimal performance.

W32/Bagle.M!tr - Released Mar 13, 2004 - Last Updated Mar 13, 2007

Alias/es

I-Worm.Bagle.m, TrojanProxy.Win32.Mitglieder.T, W32/Bagle.M!tr

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Possible firewall alert that the file "bgxtdll.exe" is attempting to access the Internet

  • Creation of these files into the System32 folder -

    bgxtdll.exe - 18,432 bytes
    syswrun4x.exe - 14,336 bytes
    windllzup.exe - 1,536 bytes
    ban_list.txt - 4,100+ bytes

  • Web traffic logs have reference to the web file "script.php" and "banlistx.php"




Detailed Analysis


Specifics
Trojan is 32-bit and is a variant of the W32/Mitglieder family. The Mitglieder Trojan and the Bagle virus families share some code and structure. This Trojan functions as an SMTP mail relay on a compromised system.


Loading At Windows Startup
If the Trojan is run, it will extract other files and store them into the System32 folder -

C:\WINNT\System32\BGXTDLL.exe - dropper for Bagle.M
C:\WINNT\System32\syswrun4x.exe - Bagle.M
C:\WINNT\System32\windllzup.exe - loader for Bagle.M

The Trojan will adjust the registry to auto run the Trojan at next Windows startup as in this example -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"usrgateway.exe" = C:\WINNT\System32\syswrun4x.exe


Application Termination Payload
This Trojan may attempt to close processes or applications matching the following names -

ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
avp.exe
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
supertest.exe
UPDATE.EXE


SMTP Proxy/Remote Access Capability
This Trojan will bind to randomly selected TCP port and await instructions from a malicious user. Instructions could be to carry out SMTP delivery via the Trojan's SMTP proxy code.

The Trojan will attempt to notify the Trojan author by connecting to compromised web servers and using a server-side script named "script.php", the Trojan will submit the TCP port in use and the IP address of the compromised system. The Trojan author compromised several German and Russian websites and probably has at least read access to these sites in order to retrieve the logged IP addresses of compromised systems.

These are the list of compromised web servers which are storing the server-side script "script.php" -

www.globaldatabase.info
www.framesearch.info

The Trojan also will retrieve a text file named "banlistx.php" containing IP addresses. This PHP file is stored on these compromised web servers -

www.globaldatabase.info
www.framesearch.info

The PHP file "banlist.php" is stored into the System32 folder with the proxy Trojan as the file name "ban_list.txt".



Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

  • Using the FortiGate manager, enable blocking these web addresses -

    www.globaldatabase.info
    www.framesearch.info


Reference: ID - 2165