Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:13/12/2012
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:36.352 Bytes
MD5 checksum:1ab13e9a896bce9e5d452c63ea247ef4
VDF version:

 General Method of propagation:
   • No own spreading routine

   •  Symantec: Trojan.Tooso.K
   •  Mcafee: W32/Bagle.dldr.gen
   •  Kaspersky:
   •  TrendMicro: TROJ_BAGLE.BB
   •  F-Secure: W32/Mitglieder.DT
   •  VirusBuster: I-Worm.Bagle.CL
   •  Bitdefender: Win32.Bagle.BV@mm

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a file
   • Registry modification
   • Steals information

Right after execution it runs a windows application which will display the following window:

 Files It copies itself to the following location:
   • %SYSDIR%\winshost.exe

The following file is created:

%SYSDIR%\wiwshost.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Bagle.BU

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "winshost.exe" = "%SYSDIR%\winshost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "winshost.exe" = "%SYSDIR%\winshost.exe"

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

The modified host file will look like this:

Description inserted by Victor Tone on Thursday, August 4, 2005
Description updated by Victor Tone on Thursday, August 25, 2005

Back . . . .