Troj/BagleDl-AR

Please follow the instructions for removing Trojans.

Troj/BagleDl-AR is a Trojan for the Windows platform.

Troj/BagleDl-AR includes functionality to access the internet and communicate with a remote server via HTTP. Troj/BagleDl-AR is a Trojan for the Windows platform.

Troj/BagleDl-AR includes functionality to access the internet and communicate with a remote server via HTTP.

Troj/BagleDl-AR may arrive as attachment in the email with the following message text:

Dear customer.

Thank you for your subscription to http://www.<sitename>.com.

You have been billed as Paycom LLC for the amount of: GBP 24.95 for
30 days then GBP 24.95 recurring every 30 days.

Time: 2005-12-16 10:54:56
Transaction ID: 965658
Amount: GBP 24.95
Applied to Account #: 10915104
Pay Method: VISA

Your new subscription identification number is: 10915104, please
keep this number in a safe place, as it will be required
for reference in all future correspondence regarding your
membership.

Your membership access information is:
Username for your subscription: 112002
Password for your subscription: regina
Membership website: http://www.<sitename>.com

For further details regarding this transaction and direct access to
our online billing support services, available
24-hours a day, 365-days a year, please check your transaction
details in attachment.

Thank you for choosing Paycom as the eMerchant for your
subscription!

Customer Support

****************************************
Billing services provided by Paycom, LLC

Troj/BagleDl-AR attempts to download to the Windows folder and execute
msupdate.exe file. This file is detected as Troj/CashGrab-I.

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
\firewallpolicy\standardprofile\authorizedapplications\list
<pathname of the Trojan executable>
<original filename>:*:EnaBleD:cvv2