Bagle.dldr Trojan runs riot

Security researchers at antivirus company McAfee have today upped their risk assessment of the Bagle.dldr Trojan, which is spreading rapidly.

The company has raised its assessment after spotting more variants of the worm, and said that its Avert virus response team has received "more than 100 distinct reports of these variants in the wild".

Bagle.dldr is not a mass-mailing threat by itself; it is a downloader which tries to access files from the internet and attempts to disable antivirus and security tools. The Trojan has been used by other Bagle variants, including Bagle.bb, Bagle.bc and Bagle.bd.

After being executed, Bagle.dldr copies itself into the Windows System directory. It drops a file named 'wiwshost.exe' and tries to download a file 'zo2.jpg' from various websites. It also shuts down security services and in some cases renames the main security program executable.

The virus modifies the file '%WinDir% \system32\drivers\etc\hosts' to prevent the PC from contacting some security websites, and also disables any configured HTTP proxy.

When outgoing TCP connections to port 80 (HTTP) are established, Bagle.dldr tries to download files from a very large list of sites. McAfee said that many of these sites may be decoys as they do not host the file being requested.