Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software

Troj/BagleDl-L

By Mary Landesman, About.com

Mar 1 2005
Troj/BagleDl-L is a Trojan, not a worm, and does not contain mass-mailing capabilities. However, Troj/BagleDl-L was mass-spammed via email during the morning of March 1st, 2005. It is believed this spamming occurred as a result of the Bagle.BE worm, discovered during the same time period.

Email characteristics
Troj/BagleDl-L is a Trojan, not a worm, and does not contain mass-mailing capabilities. However, Troj/BagleDl-L was mass-spammed via email during the morning of March 1st, 2005. The spammed email has a spoofed From address. The subject line was blank or it may included one of the following:

[EDA Peer Networking]
EARMA-ALL: approval required (2E562570)
failure notice
imposibilidad de enviar su mensaje a e.t.quinteroxn
Impossibile recapitare il messaggio
Mail could not be delivered
Mail System Error - Returned Mail
Message Non-delivery Report
Returned mail
Returned mail: see transcript for details
Returned mail: User unknown
Undeliverable mail
Undeliverable:
Undeliverable: ***** SPAM *****
Undeliverable: [BULK]
Undelivered Mail Returned to Sender
unsolicited e-mail message
Your Message Could Not Be Delivered

The body of the email may read:

new price

The attachment may be named on of the following:

doc_02.exe
Doc_01.02.exe
doc_01.exe
prs_03.exe
price.zip
price2.zip
price_08.zip

Action on infection
Troj/BagleDl-L attempts to shutdown processes related to various security software. It also modifies the HOST file, redirecting attempts to access certain antivirus and security sites to the local loopback address (127.0.0.1). Ironically, the HOSTS modifications also include loopback redirects for commercial adservers such as doubleclick, fastclick, etc.

Troj/BagleDl-L drops winshost.exe to the Windows System folder and modifies the HKLM and HKCU run keys to load this file when Windows is started. According to antivirus vendor Sophos, Troj/BagleDl-L also attempts to rename a predefined list of files found on infected systems.

Troj/BagleDl-L attempts to download other files from various sites, reportedly containing spam proxies and/or remote access (backdoor) Trojans. Troj/BagleDl-L also modifies Registry keys related to the "Background Intelligent Transfer Services" used by Windows Update.

Avoidance/Prevention
To avoid infection, do not open email attachments received unexpectedly, regardless of the source. Most modern email threats spoof the From sender, thus a worm or Trojan email will most likely appear to be from someone you know and trust.

See also: Bagle.BE worm description

Explore Antivirus Software
About.com Special Features
Family Tech Center

Stay connected and entertained with reviews on tips on the latest HDTVs, cellphones and more. More >

Connect Your Home Computers

Easy ways to connect two computers for networking purposes. More >

Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software
  4. Latest Threats
  5. Troj/BagleDl-L

©2009 About.com, a part of The New York Times Company.

All rights reserved.