W32/Bagle.Y!tr

Alias/esMitglieder, W32/Bagle.Y!tr
Release DateMay 12, 2006
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.338
Description

Visible Symptoms

  • Possible firewall alert that the file "irun4.exe" is attempting to access the Internet

  • Creation of these files into the System32 folder -

    system.exe - 25,600 bytes
    irun4.exe - 17,408 bytes
    iinj4.exe - 1,536


Detailed Analysis


Specifics
Trojan is 32-bit and is a variant of the Mitglieder proxy Trojan. The Mitglieder Trojan and the Bagle virus families share some code and structure. This Trojan functions as an SMTP mail relay on a compromised system.


Loading At Windows Startup
If the Trojan is run, it will copy itself into the System32 folder -

C:\WINNT\System32\WINDOW.exe

The Trojan will register to auto run at next Windows startup as in this example -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"ssgrate" = C:\WINNT\System32\irun4.exe


SMTP Proxy/Remote Access Capability
This Trojan will bind to randomly selected TCP port and await connection from a malicious user. It would be possible to telnet to a compromised system and issue SMTP commands and carry out SMTP delivery via the Trojan's SMTP proxy code.



Description Last Updated Date: Mar 13, 2007
Reference: ID - 22976