Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Aliases: Trojan.Downloader.Bagle.E (Bitdefender), Email-Worm.Win32.Bagle.ef (Kaspersky), Trj/Mitglieder.FK (Panda)
Type: TrojanDownloader
Systems Affected: 32-Bit Windows

Win32/Bagle.DD is functionally the same as Win32/Bagle.DC with the difference being that the files used by Bagle.DD are runtime compressed to attempt to evade detection.

Installation and Autostart Techniques:

Upon execution, the trojan drops its downloader component "hleader_dll.dll" into the %SYSTEM% folder and copies itself as a 13312 byte file named "hloader_exe.exe".
This Dynamic Link Library gets loaded via Code Injection (WriteProcessMemory / CreateRemoteThread) into the explorer process and runs there cloaked.

NOTE: %System% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

The trojan adds the following keys to the registry to make sure that it runs every time windows is started:

"auto__hloader__key" = "%System\hloader_exe.exe"


"auto__hloader__key" = "%System\hloader_exe.exe"

That means, that every time windows is started the executable injects the downloader DLL into the Explorer Process.

Downloading DLL Component:

This DLL retrieves the Windows Directory via GetWindowsDirectoryA API. After this, the downloader constructs a download directory in the windows folder named "exefld". Then, the downloader first tries to delete all files in this directory using the Shell Fileoperating API (SHFileOperationA).

Bagle.DD tries to download files from several internet locations. These URL's are stored in a string array and the downloaded file will be stored in the folder "exefld" under the windows folder. After successful download the Downloader tries to execute this file via ShellExecuteA API.

The name of the downloaded executable is randomly constructed via GetTickCount API.

Bagle.DD creates its own timed threads for interval downloading. It will try to download files from the following internet locations every 4 hours:{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php{REMOVED}/w.php

via TCP/IP port 80 (HTTP)

This timed download is done via EventManagement in the downloader thread. Bagle.DD initializes the timed event with DBBA00h which is exactly 4 hours.

History: Analysis and Write-up by: Michael St. Neitzel