[virusinfo] Sophos Anti-Virus IDE alert: Troj/Bagle-X

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Wed, 07 Apr 2004 15:45:17 -0700

From: Sophos Alert System:

Name: Troj/Bagle-X
Aliases: W32/Bagle.X.worm, W32/Bagle.x!proxy, I-Worm.Bagle.v, Troj/Lohav-Fam
Type: Trojan
Date: 7 April 2004

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2004 (3.81) release of Sophos Anti-Virus.

Enterprise Manager and PureMessage customers will be
automatically protected at their next scheduled update.

At the time of writing, Sophos has received no reports from
users affected by this Trojan. However, we have issued this
advisory following enquiries to our support department from
customers.


Information about Troj/Bagle-X can be found at:
http://www.sophos.com/virusinfo/analyses/trojbaglex.html
Description 
Troj/Bagle-X is a proxy backdoor Trojan. 
The Trojan runs continuously in the background providing a proxy server on a
random port number above 2000. 

Data can be routed to other computers via the proxy in order to bypass
access restrictions and to hide the IP address of the source computer. 

The proxy may be used to forward SPAM email. 

When first run the Trojan copies itself to the Windows system folder as
window.exe and creates the following registry entry, so that window.exe is
run automatically on startup: 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\window.exe
= <Windows system folder>\window.exe 

The following registry entries are also created 

HKCU\Software\Timeout\uid = <random 9-digit string>
HKCU\Software\Timeout\pid = <process ID for the Trojan>
HKCU\Software\Timeout\port = <port the Trojan listens on> 

The Trojan tries to send connection information to several remote locations.

 

Download the IDE file from:
http://www.sophos.com/downloads/ide/bagle-x.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
---------------------------------------------------------------------
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Sophos Anti-Virus IDE alert: Troj/Bagle-X

1. Home
2. virusinfo
3. Archive
4. 04-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---