Full description

Virus:	DR/Bagle.O.2
Date discovered:	13/12/2012
Type:	Dropper
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Low
Static file:	Yes
File size:	11.689 Bytes
MD5 checksum:	1af3a1c3261aab9b61b17e1d94c504db
VDF version:	7.11.53.216

General Method of propagation:
   • No own spreading routine

Alias:
   • Bitdefender: Win32.Bagle.CJ@mm

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP

Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification

Files It copies itself to the following location:
   • %SYSDIR%\winshost.exe

It renames the following files:

    • CCSETMGR.EXE into C1CSETMGR.EXE
    • CCEVTMGR.EXE into CC1EVTMGR.EXE
    • NAVAPSVC.EXE into NAV1APSVC.EXE
    • NPFMNTOR.EXE into NPFM1NTOR.EXE
    • symlcsvc.exe into s1ymlcsvc.exe
    • SPBBCSvc.exe into SP1BBCSvc.exe
    • SNDSrvc.exe into SND1Srvc.exe
    • ccApp.exe into ccA1pp.exe
    • ccl30.dll into cc1l30.dll
    • ccvrtrst.dll into ccv1rtrst.dll
    • LUALL.EXE into LUAL1L.EXE
    • AUPDATE.EXE into AUPD1ATE.EXE
    • Luupdate.exe into Luup1date.exe
    • LUINSDLL.DLL into LUI1NSDLL.DLL
    • RuLaunch.exe into RuLa1unch.exe
    • CMGrdian.exe into CM1Grdian.exe
    • Mcshield.exe into Mcsh1ield.exe
    • outpost.exe into outp1ost.exe
    • Avconsol.exe into Avc1onsol.exe
    • Vshwin32.exe into Vshw1in32.exe
    • VsStat.exe into Vs1Stat.exe
    • Avsynmgr.exe into Av1synmgr.exe
    • kavmm.exe into kav12mm.exe
    • Up2Date.exe into Up222Date.exe
    • KAV.exe into K2A2V.exe
    • avgcc.exe into avgc3c.exe
    • avgemc.exe into avg23emc.exe
    • zonealarm.exe into zo3nealarm.exe
    • zatutor.exe into zatu6tor.exe
    • zlavscan.dll into zl5avscan.dll
    • zlclient.exe into zlcli6ent.exe
    • isafe.exe into is5a6fe.exe
    • cafix.exe into c6a5fix.exe
    • vsvault.dll into vs6va5ult.dll
    • av.dll into a5v.dll
    • vetredir.dll into ve6tre5dir.dll

The following file is created:

– %SYSDIR%\wiwshost.exe Further investigation pointed out that this file is malware, too.

It tries to download some files:

– The locations are the following:
   • www.**********.com/osa5.gif
   • www.**********.net/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.hu/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.cn/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.at/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.nl/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.hu/osa5.gif
   • www.**********.org/osa5.gif
   • www.**********.com.cn/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com.pl/osa5.gif
   • www.**********.com.cn/osa5.gif
   • www.**********.com.cn/osa5.gif
   • www.**********.hu/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.hu/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.at/osa5.gif
   • www.**********.com.tw/osa5.gif
   • www.**********.org/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com.tw/osa5.gif
   • www.**********.cz/osa5.gif
   • www.**********.be/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.be/osa5.gif
   • www.**********.cl/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.sk/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.ch/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.net/osa5.gif
   • www.**********.at/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com.pe/osa5.gif
   • www.**********.ee/osa5.gif
   • www.**********.net/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.ch/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.nl/osa5.gif
   • www.**********.sk/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.org/osa5.gif
   • www.**********.org/osa5.gif
   • www.**********.home.pl/osa5.gif
   • www.**********.at/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com.hk/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.dehtdocs/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.cz/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.net/osa5.gif
   • www.**********.com.cn/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.be/osa5.gif
   • www.**********.com.pt/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.cz/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.sk/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.hu/osa5.gif
   • www.**********.be/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.co.za/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.net/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.cz/osa5.gif
   • www.**********.be/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.co.za/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.co.za/osa5.gif
   • www.**********.sk/osa5.gif
It is saved on the local hard drive under: %WINDIR%\_RE_FILE.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Bagle.BR.A.Dll

Registry The following registry keys are added in order to run the processes after reboot:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "winshost.exe"="%SYSDIR%\winshost.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "winshost.exe"="%SYSDIR%\winshost.exe"

The values of the following registry keys are removed:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • APVXDWIN
   • avg7_cc
   • avg7_emc
   • ccApp
   • KAV50
   • McAfee Guardian
   • NAV CfgWiz
   • SSC_UserPrompt
   • Symantec NetDriver Monitor
   • Zone Labs Client

– HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • McAfee.InstantUpdate.Monitor

– HKLM\SOFTWARE
   • Symantec
   • McAfee
   • KasperskyLab
   • Agnitum
   • Panda Software
   • Zone Labs

The following registry key is added:

– HKCU\Software\FirstRun
   • "FirstRunRR"=dword:00000001

Hosts The host file is modified as explained:

– In this case existing entries are deleted.

Process termination List of processes that are terminated:
   • ATUPDATER.EXE; AUPDATE.EXE; AUTODOWN.EXE; AUTOTRACE.EXE; AVPUPD.EXE;
      AVWUPD32.EXE; AVXQUAR.EXE; CFIAUDIT.EXE; ESCANHNT.EXE; ICSSUPPNT.EXE;
      LUALL.EXE; MCUPDATE.EXE; OUTPOST.EXE; ATUPDATER.EXE; AUTOUPDATE.EXE;
      DRWEBUPW.EXE; ESCANH95.EXE; FIREWALL.EXE; ICSUPP95.EXE; NUPGRADE.EXE;
      UPDATE.EXE; UPGRADER.EXE

List of services that are disabled:
   • Ahnlab task Scheduler; alerter; AntiVirus Plug-in; McShield;
      AlertManger; AVExch32Service; avg7alrt; avg7updsvc; AvgCore; AvgFsh;
      AvgServ; avpcc; AVUPDService; AvxIni; awhost32; backweb client -
      4476822; BackWeb Client - 7681197; backweb client-4476822; BlackICE;
      CAISafe; ccEvtMgr; ccPwdSvc; ccSetMgr; ccSetMgr.exe; DefWatch; dvpapi;
      dvpinit; Firewall; fsbwsys; fsdfwd; F-Secure Gatekeeper Handler
      Starter; FSMA; KAVMonitorService; kavsvc; KLBLMain; McAfee;
      McAfeeFramework; McTaskManager; mcupdmgr.exe; MCVSRte; MonSvcNT;
      navapsvc; Network Associates Log Service; NISSERV; NISUM; NJeeves;
      NOD32ControlCenter; NOD32Service; Norman; Norton Antivirus Server;
      NPFMntor; NProtectService; NSCTOP; nvcoas; NVCScheduler; nwclntc;
      nwclntd; nwclnte; nwclntf; nwclntg; nwclnth; NWService; Outbreak
      Manager; Outpost; OutpostFirewall; PASSRV; PAVFNSVR; Pavkre; PavProt;
      PavPrSrv; PAVSRV; PCCPFW; PersFW; PREVSRV; PSIMSVC; ravmon8; SAVFMSE;
      SAVScan; SBService; schscnt; SharedAccess; SmcService; SNDSrvc;
      SPBBCSvc; SweepNet; SWEEPSRV.SYS; Symantec AntiVirus Client; Symantec
      Core LC; Tmntsrv; V3MonNT; V3MonSvc; VexiraAntivirus; VisNetic; vsmon;
      wuauserv; XCOMM; ZANDA

Injection – It injects the following file into a process: %SYSDIR%\wiwshost.exe

Process name:
• %WINDIR%\Explorer.exe

Description inserted by Irina Boldea on Friday, September 9, 2005
Description updated by Irina Boldea on Thursday, September 22, 2005

Back . . . .

Become an Avira Partner

Want to be the leading provider of small and medium business security? Become an Avira partner and offer your customers powerful, cost-effective security trusted by over 100 million users worldwide.

Discover the Avira Partner Program Enroll as an Avira partner today

Already a Partner?

. . . .

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools