FRISK Software International

Summary of W32/Bagle.EJ
Discovered: 24 Feb 2006
Definition files: 24 Feb 2006
Risk Level: Medium
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Bagle.EJ is a downloader trojan and is incapable of spreading. It modifies registry to make sure it's run at startup. It runs in an endless loop trying to download files from multiple internet addresses. If it manages to download any, they are executed.

Technical Description
When first run W32/Bagle.EJ opens a file choosing dialog and asks the user:

"Select file to crack"

If a file is selected the following error message is displayed:

"Incorrect file version"

In any case it drops the file ldr64.dll (also detected as W32/Bagle.EJ) into the system folder %WINDIR%\system32 and creates the registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64]

and adds a some values to it in order to be executed at startup.

At next startup the file ldr64.dll is executed in the namespace of winlogon.exe and tries to download the file 444.jpg from several internet addresses and if successful the downloaded file is executed.

Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)