W32/Bagle.FS@mm

Analysis

This variant is varied intentionally by the virus author in an attempt to foil detection capabilities by various Antivirus scanners. The threat was posted to a particular web site numerous times and quite probably using an automated technique, and the threat was repackaged using a packing method that altered the state of the virus each time it was packed. The utility used to pack the virus is ASProtect. The virus ranges in size between 252 and 257Kb.

Upon running the file, a dialogue screen is displayed requesting the user to browse to a file for "cracking", as if the program was a shareware application cracker. Depending on a file chosen for the "cracker" to crack, an error dialogue is displayed like this -

Meanwhile, the virus writes a .DLL file into the System32 folder named "ldr64.dll". It is ASPack packed with a file size range between 132 and 135Kb. This DLL file loads at the next Windows restart via some registry modifications -

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64 "Asynchronous" = 01, 00, 00, 00 "DllName" = ldr64.dll "Impersonate" = 00, 00, 00, 00 "LdCount" = 00, 00, 00, 00 "prevt" = 00, 00, 00, 00 "Startup" = Startup

When Windows restarts, ldr64.dll is loaded into memory as an assisting DLL with WINLOGON.EXE. The loaded DLL is coded to connect to various websites in an attempt to download binary files named either "666.jpg" or "666.php".

If the file is retrieved, it is renamed to either "edlm.exe" or "edlm2.exe" and run as an executable. As of the time of this writing, none of the servers were hosting the files requested by the virus.

Recommended Action

FortiGate systems:

• check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
  FortiClient systems:
  
• Quarantine/Delete infected files detected