Troj/BagleDl-A is a downloader Trojan. The Trojan attempts to download and execute a file named b.jpg from 131 separate websites.
Troj/BagleDl-A is a downloader Trojan. The Trojan attempts to download and execute a file named b.jpg from 131 separate websites.
The Trojan arrives as a ZIP file attached to an email. The ZIP file contains two files: foto.html or foto.htm and foto\foto1.exe or 1\calc.exe.
If the user opens the HTML document it will in turn run the executable.
The executable (foto1.exe or calc.exe) copies itself to the Windows system folder as doriot.exe and creates a file named gdqfw.exe, also in the Windows system folder.
Doriot.exe injects gdqfw.exe into the process space of explorer.exe. Gdqfw.exe then attempts to download b.jpg from 131 separate websites. If the download is successful the downloaded file is written to _re_file.exe or file.exe in the Windows folder and executed. The Trojan repeats the download attempt every 6 hours. At the time of writing the file was not available for download from any of the sites used by the Trojan.
Doriot.exe adds the following registry entries:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- wersds.exe
- <Windows system folder>\doriot.exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- wersds.exe
- <Windows system folder>\doriot.exe
Gdqfw.exe terminates the following processes:
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
UPGRADER.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE