View my documents ()
 Home > Support > Global Security Advisor 

Virus Detail

Win32.Fantibag.A

Date Published:
1 Jun 2005

Last Updated:
15 Aug 2005

Threat Assessment

Overall Risk:   Low
Wild:  Low
Destructiveness:  Medium
Pervasiveness:  None

Characteristics

Type : Trojan

Category : Win32

Also known as:  TROJ_BAGLE.AR (Trend), Win32/Fantibag!DLL!Trojan, Win32/Fantibag!Trojan, W32/Mitglieder.CN (F-Secure), Email-Worm.Win32.Bagle.bp (Kaspersky)

Immediate Protection Info

 
SignatureProductRemoval Instructions
23.69.42
eTrust Antivirus v7/8* (InoculateIT Engine)
11.x/9171
eTrust Antivirus v7/8* (Vet Engine)
6.1x/6311
eTrust EZ Antivirus 6.1x
6.2x/9171
eTrust EZ Antivirus 6.2x
6.3x/9171
eTrust EZ Antivirus 6.3x
6.4x/9171
eTrust EZ Antivirus 6.4x
7.x/9171
eTrust EZ Antivirus 7.x
10.6x/9171
Vet Anti-Virus 10.6x
 
 
Description
Method of Infection
Payload
 

Description

Win32.Fantibag.A is a trojan that creates filters for IPv4 packets to block access to many and varied antivirus company domains. It has been distributed as a PeX-packed Win32 executable. This trojan may be downloaded onto machines already compromised by Win32.Glieder (a trojan that downloads and executes arbitrary files from particular URLs).

Back to top

Method of Infection

When the main executable is launched, it copies itself to:


%Windows%\firewall_anti.exe


It makes the following modifications to the registry to ensure that "firewall_anti.exe" is executed at each Windows start:


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\firewall_anti="%Windows%\firewall_anti.exe"


It also drops another component to %Windows%\firewall_anti.exe.dll (this file is 139,264 bytes in size). The file is a DLL, which is injected into the explorer.exe process, so as to run under the guise of Explorer.


Note: '%Windows%' is a variable location. The malware determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.


Back to top

Payload

Modifies Network Behavior

Win32.Fantibag.A contains a list of over 100 antivirus-related domain names. Presumably in order to stop users from visiting websites or downloading scanner updates from these domains. The trojan accomplishes this by creating both input and output filters to drop all packets between the user's machine and any of the filtered IP addresses.


For each of the specified domain names, a DNS lookup is performed. Win32.Fantibag will then create filters for each IP address within the same class C (255.255.255.0) network. Antivirus companies targeted include Computer Associates, McAfee, Sophos, Kaspersky, F-Secure, Trend, etc. The following domain names are also used to create IP filters (and are hence also blocked):


download.microsoft.com
downloads.microsoft.com
go.microsoft.com
msdn.microsoft.com
office.microsoft.com
support.microsoft.com
windowsupdate.microsoft.com


Analysis by Scott Molenkamp


Back to top

Buy

Buy CA Anti-Virus

Large Enterprise
Small and Medium Business
Home and Home Office

CA Global Security Advisor

Current threat condition: Low
Low
Documents and Tools
Find Threats
Viruses Spyware
Vulnerabilities All

Security Resources

Analyst Reports

Gartner Magic Quadrant for Web Access Management
More

Events

RSA Conference 2010
CA World 2010
More

Insights

On-Demand Webcasts

Operate Lean with CA Compliance Manager for z/OS
Analyst Webcast: Privileged User Access- Gaining Powerful Control of Powerful Users
More

Press

CA Enables Growth of Open Source for the Enterprise
CA Helps Secure Louisiana Rural Health Information Exchange

News

How to Improve Cloud Security in Your Enterprise
Cloud Security: Ten Questions to Ask Before You Jump In
More
 
 
Page Tools
ShareShare