Win32.Glieder.I (Ca.com)
Win32.Glieder.I (Ca.com)
Description Published: August 31, 2004
Description Modified: September 1, 2004
Category: Win32
Also known as: W32/Bagle.dll.dr (McAfee), W32/Bagle.dll.gen (McAfee),
HTML.Codebase, Exploit.CodeBaseExec (Kaspersky),
Exploit-CodeBase.gen (McAfee),
HTML.Glieder, Win32/Glieder.I.DLL.Trojan,
Win32/Glieder.I.Trojan, Download.Ject.C (Symantec),
Win32/TrojanDownloader.Agent.CJ2 (Eset),
Win32/TrojanDropper.Small.NAQ (Eset),
Win32/Unknown.Trojan, TrojanDownloader.Win32.Agent.cj (Kaspersky),
TrojanDropper.Win32.Small.kv (Kaspersky)
Description
Win32.Glieder.I is a trojan that downloads and executes arbitrary files from a long hardcoded list of particular URLs. In the wild, we have seen other variants of this trojan download Win32.Bagle variants and other files. It has been distributed as a 12,800-byte Win32 executable.
Method of Infection
This variant of Win32.Glieder has been mass-mailed on a large scale by what appears to be Win32.Bagle.AJ. Win32.Glieder itself does not have the ability to spread unless one of the files it downloads has that ability.
The mass-mailed messages contained these files:
- foto.zip or fotos.zip (size: 4,558 bytes):
A ZIP archive containing foto.htm and 1calc.exe.
- foto.htm (size: 111 bytes):
An HTML file containing script to activate calc.exe. This file may be detected as HTML.Codebase by CA Antivirus solutions.
- calc.exe (size: 12,800 bytes):
The Win32.Glieder.I trojan itself.
When executed, Win32.Glieder.I copies itself to
%System%doriot.exe
It makes the following modifications to the registry to ensure that doriot.exe is executed at each Windows start:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunwersds.exe = ˝%System%doriot.exe˝
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunwersds.exe = ˝%System%doriot.exe˝
It also drops another component to %System%gdqfw.exe (this file is 9,728 bytes in size). The file is a DLL, which is injected into the explorer.exe process, so as to run under the guise of Explorer. This file may be detected as Win32/Bagle.Downloader.Trojan by CA Antivirus solutions.
Note: ´%System%´ is a variable location. The trojan determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:WinntSystem32; for 95,98 and ME is C:WindowsSystem; and for XP is C:WindowsSystem32.
Payload
Downloads and Executes Arbitrary Files
Every 6 hours, Glieder.I attempts to download from a list of 131 URLs. If successful, it saves the downloaded file to %Windows%file.exe and executes it. At the time of publishing, none of these URLs were available.
http://www.oktbroiler.ru/*****
http://www.jamesbronner.com/*****
http://www.buycare.com/*****
http://www.thewoman.com/*****
http://www.healthcometh.com/*****
http://www.pay5495.com/*****
http://www.goldgates.com/*****
http://www.soulring.com/*****
http://execpage.com/*****
http://mountainwings.com/*****
http://wingsoverlife.com/*****
http://www.mountainwings2.com/*****
http://visionforsouls.org/*****
http://helpingyouth.org/*****
http://dollypop.com/*****
http://mountainwings.com/*****
http://mountainwings4.com/*****
http://www.system5electronics.com/*****
http://www.jamesbronner.com/*****
http://theonlineword.com/*****
http://cryofthespirit.com/*****
http://naturalpros.com/*****
http://virtualchurch.com/*****
http://www.wyspian.iap.pl/*****
http://www.air-computers.com.ar/*****
http://www.odevnictvo.sk/*****
http://www.arrasy.pl/*****
http://www.apodis.pl/*****
http://www.smgkrc.pl/*****
http://www.baltexpo.spb.ru/*****
http://www.ametist.spb.ru/*****
http://www.nardo.bbe.pl/*****
http://www.ukpl.pl/*****
http://www.ibplus.sk/*****
http://www.tcvwebtv.com.ar/*****
http://www.1944.pl/*****
http://www.roszkowski.pl/*****
http://shock.evernet.com.pl/*****
http://www.ltvo.spb.ru/*****
http://www.netland.gda.pl/*****
http://www.star-max.it/*****
http://www.domu.net/*****
http://www.silvic.ro/*****
http://www.cumparacd.go.ro/*****
http://SportLine.go.ro/*****
http://www.sincron.go.ro/*****
http://www.oftza.friko.pl/*****
http://www.kubtelecom.ru/*****
http://www.enitex.by/*****
http://www.enitex-m.by/*****
http://www.da-rom.co.il/*****
http://www.eastandard.co.ke/*****
http://www.nairobiwebspace.com/*****
http://www.octava.pl/*****
http://www.lacittadifiorenzuola.it/*****
http://www.nikola.piwko.pl/*****
http://www.elblu.republika.pl/*****
http://www.oto.lv/*****
http://www.bomart.cz/*****
http://www.propi.cz/*****
http://www.fotel.pl/*****
http://www.7pe.friko.pl/*****
http://www.elcorsy.com/*****
http://www.gardameditech.com/*****
http://www.gardameditech.com/*****
http://www.master.pl/*****
http://www.vacation-network.net/*****
http://www.bravo.gliwice.pl/*****
http://miracle.v6.cz/*****
http://helpdemos.com/*****
http://www.jbplus.cz/*****
http://www.sunbud.com.pl/*****
http://www.nadodrze.pl/*****
http://www.pc-hard.com.ua/*****
http://www.polsl.katowice.pl/*****
http://www.extreme-racing.lg.ua/*****
http://www.45partsdepot.com/*****
http://www.moteplassen1.com/*****
http://www.frater.hu/*****
http://www.avers.com.pl/*****
http://www.atomique.pl/*****
http://www.icpnet.pl/*****
http://www.elite-style.com/*****
http://www.inlan.sk/*****
http://www.netta.pl/*****
http://www.atw.hu/*****
http://www.goodboy.dem.ru/*****
http://www.kuda.com.ua/*****
http://www.avatar.ee/*****
http://www.hards.pl/*****
http://www.zasada-rowery.pl/*****
http://www.tivis.cz/*****
http://www.skylive.pl/*****
http://www.pyrlandia-boogie.pl/*****
http://oracal.pl/*****
http://www.eris.pl/*****
http://www.swez.net/*****
http://www.icpnet.pl/*****
http://www.generex.de/*****
http://www.astermed.pl/*****
http://www.pancoopzsv.co.yu/*****
http://www.pursuit.rv.ua/*****
http://www.perfect-beauty.at/*****
http://www.holz-studio.at/*****
http://www.members.aon.at/*****
http://www.perfect-beauty.at/*****
http://stroipolymer.ru/*****
http://www.ntrlab.com/*****
http://www.lotusdog.net/*****
http://www.r-bazar.ru/*****
http://www.justmatchit.com/*****
http://www.justmatchit.com/*****
http://www.1800thewoman.com/*****
http://www.bronnerbros.com/*****
http://www.online40.com/*****
http://www.nameitright.com/*****
http://www.online50.com/*****
http://jamesbronner.com/*****
http://www.prophetcollins.com/*****
http://www.enduser1.fast.net/*****
http://www.arthurspeaks.com/*****
http://www.pharmag.pl/*****
http://koti.pl/*****
http://www.pharmag.pl/*****
http://www.europharm.pl/*****
http://www.nustep.sk/*****
http://allianzsp.sk/*****
http://www.multifoto.sk/*****
http://www.fotolab.sk/*****
http://coolweb.psg.sk/*****
http://www.quatro.sk/*****
Note: These URLs have been slightly modified.
Terminates Processes
The DLL component (˝gdqfw.exe˝) kills the following processes (associated with antivirus and other security-related applications):
AVXQUAR.EXE
ESCANHNT.EXE
UPGRADER.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
Stops/Disables Services
The DLL also attempts to stop and disable the Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) service (the ˝SharedAccess˝ service) on Windows XP systems.
Analysis by Hamish O´Dea
More information on CA Virus Information Center:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=40054
Computer Associates – the Trusted Source of Security Knowledge
Back
- Microsoft revamps Bing to include interactive social sidebar
The three-column interface also includes a ´snapshot´ for more direct interaction with products and places.
- Adobe Creative Cloud Now Available
Two New Touch Apps for iOS and Adobe Muse Also Shipping
- Acer G6 series - Super-slim design, inspiring performance
- Come Explore the VIA Smart Ecosystem at Computex 2012
- HP tries to beat ultrabook pricing with thin-and-light Sleekbooks
- MasterCard´s PayPass Wallet will span online, mobile, in-store shopping
- Google infringed Java copyrights in Android, jury finds
- After false alarm, no verdict Friday in Oracle Google
- Lenovo building industrial center to develop tablets, smartphones
- Facebook´s valuation for IPO will be lower than initially expected
Member of IVSZ
Member of SZEK
Acer Affinity Gold partner
Dell Registered Partner
OKI System Shinrai Partner
XEROX Viszonteladó
APC megbízható szállító
EATON Authorized Partner
Cisco partner
Symantec Software Partner
ESET Partner
FUJITSU partner
LENOVO Premium Partner
IBM Business Partner
PARTNERS: Computerworld.hu | GameStar.hu | PCWorld.hu | SG.hu | PC Guru | Hitel