My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


19045 bytes
(Bagle.AK, Trojan.Win32.Agent.JK)


-	presence of the file “winldr.exe” in the %sysdir% directory
-	presence of the file “dload.dat” in the %sysdir% directory.
-	presence of the file “url.dat” in the %sysdir% directory.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Daniel Ionita, virus researcher

Technical Description:

The virus is 19045 bytes in size. It is quite complex, with stealth capabilities and varied spreading methods.

At startup, the virus copies itself to the %sysdir% directory under the name “winldr.exe”. However, the virus is not run like an ordinary process. Instead, it injects itself in svchost.exe and runs the rest of the virus as a thread in that process, therefore all the malicious actions seem to come from svchost.exe (which is a legitimate and critical Windows process).

The method the virus uses for automatic loading at system startup is the following: it registers itself as a system shell under the key HKLM\MicrosoftWindows NT\CurrentVersion\WinlogonShell. It then registers the current process as an “authorized application” in the system’s firewall list, therefore enabling unrestricted network access.

Once the basis have been established, the virus proceeds to the next stage: self propagation. It has two spreading methods: P2P attacks and mass mailing.


The virus searches in the registry the sharing folders of a few P2P programs (some of the largest and most commonly used). The affected programs: Kazza, Imesh, Morpheus, E-Donkey, LimeWire. The virus searches these folders for all files with the .exe extension and modifies them so that the files contain also copies of itself.


The virus will search all local drives for files that have one of the following extensions:

.wab .txt .msg .htm .shtm .stm .xml .dbx .mbx .mdx .eml .nch .mmf .ods .cfg .asp .php .wsh .adb .tbb .sht .xls .oft .uin .cgi .mht .dhtm .jsp

It extracts the e-mail addresses that may reside in those files and then creates threads that will send attachements of itself to those addresses.

Mail format:

From: “name” "complete_email" (spoofed)

To: “name” "complete_email"

Subject: (random string)

Body: empty

Attachement: Rechnung.pdf.exe

The virus will extract what may be the name in the e-mail address (for example, will extract Joe from and put it in the From and To fields.

The virus will not send e-mails to addresses that contain one of the following strings:

@hotmail @msn @microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ kasp admin crosoft @messagelab root@ abuse panda linux unix spam antispam

The virus uses its own SMTP engine.


The virus will alternately try and download files from a list of predefined sites and execute them or extract information from them. It will use for this purpose a few additional files for storage of information (url.dat and dload.dat).

List of sites: