W32/Bagle.AT !tr

description-logoAnalysis

If "foto.html" is opened or viewed, it will launch "foto.exe" - this executable attempts to download what is assumed to be "W32/Bagle.AT-mm" from one of 130 websites. It may first arrive as an attachment to email in this format -
Subject: foto
Attachments: foto.zip
The .ZIP will usually contain these two files -
foto\foto.html
foto\foto\foto.exe
The .HTML file contains instructions to load "foto\foto\foto.exe" using a Codebase exploit. If a user were to extract the .ZIP on a default Windows system, it may not be apparent that the second folder "foto" exists because it and the file "foto.exe" have hidden attributes. By default, Windows is configured to not display files or folders with hidden attributes.
If the EXE file executes, it will write two files to the local system -
C:\WINNT\system32\doriot.exe (12,800 bytes, hidden attributes)
C:\WINNT\system32\gdqfw.exe (9,728 bytes)
The registry is modified to load "doriot.exe" at next Windows startup -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
wersds.exe = C:\Winnt\System32\doriot.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
wersds.exe = C:\Winnt\System32\doriot.exe
When "doriot.exe" runs, it locates the process "Shell_TrayWnd" (Windows shell Explorer process). Next it injects its code into the process space and then attempt to connect to one of several HTTP websites to retrieve a copy of W32/Bagle.AT-mm. As of the time of this writing, none of the websites in the hard-coded threat were serving the virus.
Process Termination
The virus will attempt to stop any service that matches any of these names -
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
UPGRADER.EXE
Most of these are related to security or Antivirus software.
W32/Bagle.AT-mm Download Routine
This virus will attempt to connect with any of these web addresses and retrieve a binary file stored there -
1800thewoman.com
1944.pl
45partsdepot.com
7pe.friko.pl
air-computers.com.ar
allianzsp.sk
ametist.spb.ru
apodis.pl
arrasy.pl
arthurspeaks.com
astermed.pl
atomique.pl
atw.hu
avatar.ee
avers.com.pl
baltexpo.spb.ru
bomart.cz
bravo.gliwice.pl
bronnerbros.com
buycare.com
coolweb.psg.sk
cryofthespirit.com
cumparacd.go.ro
da-rom.co.il
dollypop.com
domu.net
eastandard.co.ke
elblu.republika.pl
elcorsy.com
elite-style.com
enduser1.fast.net
enitex.by
enitex-m.by
eris.pl
europharm.pl
execpage.com
extreme-racing.lg.ua
fotel.pl
fotolab.sk
frater.hu
gardameditech.com
generex.de
goldgates.com
goodboy.dem.ru
hards.pl
healthcometh.com
helpdemos.com
helpingyouth.org
holz-studio.at
ibplus.sk
icpnet.pl
icpnet.pl
inlan.sk
jamesbronner.com
jbplus.cz
justmatchit.com
koti.pl
kubtelecom.ru
kuda.com.ua
lacittadifiorenzuola.it
lotusdog.net
ltvo.spb.ru
master.pl
members.aon.at
miracle.v6.cz
moteplassen1.com
mountainwings.com
mountainwings.com
mountainwings2.com
mountainwings4.com
multifoto.sk
nadodrze.pl
nairobiwebspace.com
nameitright.com
nardo.bbe.pl
naturalpros.com
netland.gda.pl
netta.pl
nikola.piwko.pl
ntrlab.com
nustep.sk
octava.pl
odevnictvo.sk
oftza.friko.pl
oktbroiler.ru
online40.com
online50.com
oracal.pl
oto.lv
pancoopzsv.co.yu
pay5495.com
pc-hard.com.ua
perfect-beauty.at
perfect-beauty.at
pharmag.pl
pharmag.pl
polsl.katowice.pl
prophetcollins.com
propi.cz
pursuit.rv.ua
pyrlandia-boogie.pl
quatro.sk
r-bazar.ru
roszkowski.pl
shock.evernet.com.pl
silvic.ro
sincron.go.ro
skylive.pl
smgkrc.pl
soulring.com
SportLine.go.ro
star-max.it
stroipolymer.ru
sunbud.com.pl
swez.net
system5electronics.com
tcvwebtv.com.ar
theonlineword.com
thewoman.com
tivis.cz
ukpl.pl
vacation-network.net
virtualchurch.com
visionforsouls.org
wingsoverlife.com
wyspian.iap.pl
zasada-rowery.pl
The file is stored to appear as if it were a .JPG file however it is assumed to be "W32/Bagle.AT-mm". At the time of this writing, none of the mentioned servers were serving the virus.

recommended-action-logoRecommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Telemetry logoTelemetry