Today we are going to focus on Bagle.A, which spread around the globe at the beginning of this week, and on two Trojans belonging to the same family: StartPage.AB and StartPage.AC.
Bagle.A spreads via e-mail in a message with the subject ‘Hi’. The attached file has the same icon as the Windows Calculator and its name consists of several random characters and an EXE extension.
Once it has been installed on a computer, Bagle.A looks in the files with WAB, HTM, HTML and TXT extensions stored on the affected computer for e-mail addresses to send itself out to using its own SMTP engine -except for those belonging to the following domains: hotmail.com, msn.com, microsoft.com and avp.com-. Furthermore, every ten minutes, it attempts to connect to several web pages through the port 6777, in order to update itself.
Bagle.A includes code that allows it to download files from the Internet and run them on the affected computer, but it can only carry out its actions until the system date is January 28, 2004.
The first Trojan in today’s report is StartPage.AB, which changes the home page of the browser Internet Explorer and its search options. Similarly, it modifies the HOSTS file, in order to prevent the user from accessing several web pages that offer information or software for eliminating spyware. In addition, it goes memory resident and prevents the changes made to the Windows Registry from being saved.
We are going to finish today’s report with another variant of StartPage, variant AC. This Trojan changes the home page of the browser Internet Explorer and modifies an entry in the Windows Registry so that it is run whenever the user opens a text file.