high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | October 2004 (3.86) |
| Protection available since | 31 August 2004 21:36:41 (GMT) |
| Last updated | 1 September 2004 02:31:12 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run
and remove any reference to any file you deleted.
Close the registry editor.
More Information
Troj/BagleDl-A is a downloader Trojan. The Trojan attempts to download and execute a file named b.jpg from 131 separate websites. Troj/BagleDl-A is a downloader Trojan. The Trojan attempts to download and execute a file named b.jpg from 131 separate websites.
The Trojan arrives as a ZIP file attached to an email. The ZIP file contains two files: foto.html or foto.htm and foto\foto1.exe or 1\calc.exe.
If the user opens the HTML document it will in turn run the executable.
The executable (foto1.exe or calc.exe) copies itself to the Windows system folder as doriot.exe and creates a file named gdqfw.exe, also in the Windows system folder.
Doriot.exe injects gdqfw.exe into the process space of explorer.exe. Gdqfw.exe then attempts to download b.jpg from 131 separate websites. If the download is successful the downloaded file is written to _re_file.exe or file.exe in the Windows folder and executed. The Trojan repeats the download attempt every 6 hours. At the time of writing the file was not available for download from any of the sites used by the Trojan.
Doriot.exe adds the following registry entries:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- wersds.exe
- <Windows system folder>\doriot.exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- wersds.exe
- <Windows system folder>\doriot.exe
Gdqfw.exe terminates the following processes:
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
UPGRADER.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
|
