Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Bagle.BU
Date discovered:13/12/2012
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:9.216 Bytes
MD5 checksum:1a8ec6d5a16f993f8e93e61113e5b144
VDF version:7.11.53.216

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Trojan.Tooso.J
   •  Mcafee: W32/Bagle.dldr.gen
   •  Kaspersky: Email-Worm.Win32.Bagle.br
   •  TrendMicro: TROJ_BAGLE.BB
   •  F-Secure: W32/Mitglieder.DT
   •  VirusBuster: I-Worm.Bagle.CN


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Disable security applications
   • Registry modification

 Files It renames the following files:

    •  SPBBCSvc.exe into SP1BBCSvc.exe
    •  SNDSrvc.exe into SND1Srvc.exe
    •  ccApp.exe into ccA1pp.exe
    •  ccl30.dll into cc1l30.dll
    •  LUALL.EXE into LUAL1L.EXE
    •  AUPDATE.EXE into AUPD1ATE.EXE
    •  AUPDATE.EXE into AUPD1ATE.EXE
    •  Luupdate.exe into Luup1date.exe
    •  RuLaunch.exe into RuLa1unch.exe
    •  CMGrdian.exe into CM1Grdian.exe
    •  Mcshield.exe into Mcsh1ield.exe
    •  outpost.exe into outp1ost.exe
    •  Avconsol.exe into Avc1onsol.exe
    •  Vshwin32.exe into shw1in32.exe
    •  VsStat.exe into Vs1Stat.exe
    •  Avsynmgr.exe into Av1synmgr.exe
    •  kavmm.exe into  kav12mm.exe
    •  Up2Date.exe into Up222Date.exe
    •  KAV.exe into K2A2V.exe
    •  avgcc.exe into avgc3c.exe
    •  avgemc.exe into avg23emc.exe
    •  zatutor.exe into zatutor.exe
    •  isafe.exe into zatu6tor.exe
    •  av.dll into is5a6fe.exe
    •  vetredir.dll into c6a5fix.exe
    •  CCSETMGR.EXE into C1CSETMGR.EXE
    •  CCEVTMGR.EXE into CC1EVTMGR.EXE
    •  NAVAPSVC.EXE into NAV1APSVC.EXE
    •  NPFMNTOR.EXE into NPFM1NTOR.EXE
    •  symlcsvc.exe into s1ymlcsvc.exe
    •  ccvrtrst.dll into ccv1rtrst.dll
    •  LUINSDLL.DLL into LUI1NSDLL.DLL
    •  zlclient.exe into zo3nealarm.exe
    •  cafix.exe into zl5avscan.dll
    •  vsvault.dll into zlcli6ent.exe

 Registry The values of the following registry keys are removed:

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
   • Symantec NetDriver Monitor
   • ccApp
   • NAV CfgWiz
   • SSC_UserPrompt
   • McAfee Guardian
   • McAfee.InstantUpdate.Monitor
   • APVXDWIN
   • KAV50
   • avg7_cc
   • avg7_emc
   • Zone Labs Client

–  HKLM\SOFTWARE\
   • Symantec
   • McAfee
   • KasperskyLab
   • Agnitum
   • Panda Software
   • Zone Labs

 Process termination List of processes that are terminated:
   • AVXQUAR.EXE; ESCANHNT.EXE; UPGRADER.EXE; AVXQUAR.EXE; AVWUPD32.EXE;
      AVPUPD.EXE; CFIAUDIT.EXE; UPDATE.EXE; NUPGRADE.EXE; MCUPDATE.EXE;
      ATUPDATER.EXE; AUPDATE.EXE; AUTOTRACE.EXE; AUTOUPDATE.EXE;
      FIREWALL.EXE; ATUPDATER.EXE; LUALL.EXE; DRWEBUPW.EXE; AUTODOWN.EXE;
      NUPGRADE.EXE; OUTPOST.EXE; ICSSUPPNT.EXE; ICSUPP95.EXE; ESCANH95.EXE


List of services that are disabled:
   • AVExch32Service; AVPCC; AVUPDService; Ahnlab; task Scheduler;
      AlertManger; AvgCore; AvgFsh; AvgServ; AvxIni; BackWeb Client -
      7681197; BlackICE; CAISafe; DefWatch; F-Secure Gatekeeper Handler
      Starter; FSDFWD; FSMA; KAVMonitorService; KLBLMain; MCVSRte; McAfee
      Firewall; McAfeeFramework; McShield; McTaskManager; MonSvcNT; NISSERV;
      NISUM; NOD32ControlCenter; NOD32Service; NPFMntor; NProtectService;
      NSCTOP; NVCScheduler; NWService; Network Associates Log Service;
      Norman NJeeves; Norman ZANDA; Norton Antivirus Server Outbreak
      Manager; Outpost Firewall; OutpostFirewall; PASSRV; PAVFNSVR; PAVSRV;
      PCCPFW; PREVSRV; PSIMSVC; PavPrSrv; PavProt; Pavkre; PersFW; SAVFMSE;
      SAVScan; SBService; SNDSrvc; SPBBCSvc; SWEEPSRV.SYS; SharedAccess;
      SmcService; SweepNet; Symantec AntiVirus Client; Symantec Core LC;
      Tmntsrv; V3MonNT; V3MonSvc; VexiraAntivirus; VisNetic AntiVirus
      Plug-in; XCOMM; alerter; avg7alrt; avg7updsvc; avpcc; awhost32;
      backweb client - 4476822; backweb client-4476822; ccEvtMgr; ccPwdSvc;
      ccSetMgr; ccSetMgr.exe; dvpapi; dvpinit; fsbwsys; fsdfwd; kavsvc;
      mcupdmgr.exe; navapsvc; nvcoas; nwclntc; nwclntd; nwclnte; nwclntf;
      nwclntg; nwclnth; ravmon8; schscnt; sharedaccess; vsmon; wuauserv

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PE Pack 1.0

Description inserted by Victor Tone on Wednesday, August 3, 2005
Description updated by Victor Tone on Friday, August 26, 2005

Back . . . .