Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:DR/Bagle.O.2
Date discovered:13/12/2012
Type:Dropper
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low
Static file:Yes
File size:11.689 Bytes
MD5 checksum:1af3a1c3261aab9b61b17e1d94c504db
VDF version:7.11.53.216

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Bitdefender: Win32.Bagle.CJ@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP


Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\winshost.exe



It renames the following files:

    •  CCSETMGR.EXE into C1CSETMGR.EXE
    •  CCEVTMGR.EXE into CC1EVTMGR.EXE
    •  NAVAPSVC.EXE into NAV1APSVC.EXE
    •  NPFMNTOR.EXE into NPFM1NTOR.EXE
    •  symlcsvc.exe into s1ymlcsvc.exe
    •  SPBBCSvc.exe into SP1BBCSvc.exe
    •  SNDSrvc.exe into SND1Srvc.exe
    •  ccApp.exe into ccA1pp.exe
    •  ccl30.dll into cc1l30.dll
    •  ccvrtrst.dll into ccv1rtrst.dll
    •  LUALL.EXE into LUAL1L.EXE
    •  AUPDATE.EXE into AUPD1ATE.EXE
    •  Luupdate.exe into Luup1date.exe
    •  LUINSDLL.DLL into LUI1NSDLL.DLL
    •  RuLaunch.exe into RuLa1unch.exe
    •  CMGrdian.exe into CM1Grdian.exe
    •  Mcshield.exe into Mcsh1ield.exe
    •  outpost.exe into outp1ost.exe
    •  Avconsol.exe into Avc1onsol.exe
    •  Vshwin32.exe into Vshw1in32.exe
    •  VsStat.exe into Vs1Stat.exe
    •  Avsynmgr.exe into Av1synmgr.exe
    •  kavmm.exe into kav12mm.exe
    •  Up2Date.exe into Up222Date.exe
    •  KAV.exe into K2A2V.exe
    •  avgcc.exe into avgc3c.exe
    •  avgemc.exe into avg23emc.exe
    •  zonealarm.exe into zo3nealarm.exe
    •  zatutor.exe into zatu6tor.exe
    •  zlavscan.dll into zl5avscan.dll
    •  zlclient.exe into zlcli6ent.exe
    •  isafe.exe into is5a6fe.exe
    •  cafix.exe into c6a5fix.exe
    •  vsvault.dll into vs6va5ult.dll
    •  av.dll into a5v.dll
    •  vetredir.dll into ve6tre5dir.dll



The following file is created:

– %SYSDIR%\wiwshost.exe Further investigation pointed out that this file is malware, too.



It tries to download some files:

– The locations are the following:
   • www.**********.com/osa5.gif
   • www.**********.net/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.hu/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.cn/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.at/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.nl/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.hu/osa5.gif
   • www.**********.org/osa5.gif
   • www.**********.com.cn/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com.pl/osa5.gif
   • www.**********.com.cn/osa5.gif
   • www.**********.com.cn/osa5.gif
   • www.**********.hu/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.hu/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.at/osa5.gif
   • www.**********.com.tw/osa5.gif
   • www.**********.org/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com.tw/osa5.gif
   • www.**********.cz/osa5.gif
   • www.**********.be/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.be/osa5.gif
   • www.**********.cl/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.sk/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.ch/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.net/osa5.gif
   • www.**********.at/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com.pe/osa5.gif
   • www.**********.ee/osa5.gif
   • www.**********.net/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.ch/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.nl/osa5.gif
   • www.**********.sk/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.org/osa5.gif
   • www.**********.org/osa5.gif
   • www.**********.home.pl/osa5.gif
   • www.**********.at/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com.hk/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.dehtdocs/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.cz/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.net/osa5.gif
   • www.**********.com.cn/osa5.gif
   • www.**********.de/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.be/osa5.gif
   • www.**********.com.pt/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.cz/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.sk/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.hu/osa5.gif
   • www.**********.be/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.co.za/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.net/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.cz/osa5.gif
   • www.**********.be/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.co.za/osa5.gif
   • www.**********.com/osa5.gif
   • www.**********.co.za/osa5.gif
   • www.**********.sk/osa5.gif
It is saved on the local hard drive under: %WINDIR%\_RE_FILE.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Bagle.BR.A.Dll

 Registry The following registry keys are added in order to run the processes after reboot:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "winshost.exe"="%SYSDIR%\winshost.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "winshost.exe"="%SYSDIR%\winshost.exe"



The values of the following registry keys are removed:

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • APVXDWIN
   • avg7_cc
   • avg7_emc
   • ccApp
   • KAV50
   • McAfee Guardian
   • NAV CfgWiz
   • SSC_UserPrompt
   • Symantec NetDriver Monitor
   • Zone Labs Client

–  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • McAfee.InstantUpdate.Monitor

–  HKLM\SOFTWARE
   • Symantec
   • McAfee
   • KasperskyLab
   • Agnitum
   • Panda Software
   • Zone Labs



The following registry key is added:

– HKCU\Software\FirstRun
   • "FirstRunRR"=dword:00000001

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

 Process termination List of processes that are terminated:
   • ATUPDATER.EXE; AUPDATE.EXE; AUTODOWN.EXE; AUTOTRACE.EXE; AVPUPD.EXE;
      AVWUPD32.EXE; AVXQUAR.EXE; CFIAUDIT.EXE; ESCANHNT.EXE; ICSSUPPNT.EXE;
      LUALL.EXE; MCUPDATE.EXE; OUTPOST.EXE; ATUPDATER.EXE; AUTOUPDATE.EXE;
      DRWEBUPW.EXE; ESCANH95.EXE; FIREWALL.EXE; ICSUPP95.EXE; NUPGRADE.EXE;
      UPDATE.EXE; UPGRADER.EXE


List of services that are disabled:
   •  Ahnlab task Scheduler; alerter; AntiVirus Plug-in; McShield;
      AlertManger; AVExch32Service; avg7alrt; avg7updsvc; AvgCore; AvgFsh;
      AvgServ; avpcc; AVUPDService; AvxIni; awhost32; backweb client -
      4476822; BackWeb Client - 7681197; backweb client-4476822; BlackICE;
      CAISafe; ccEvtMgr; ccPwdSvc; ccSetMgr; ccSetMgr.exe; DefWatch; dvpapi;
      dvpinit; Firewall; fsbwsys; fsdfwd; F-Secure Gatekeeper Handler
      Starter; FSMA; KAVMonitorService; kavsvc; KLBLMain; McAfee;
      McAfeeFramework; McTaskManager; mcupdmgr.exe; MCVSRte; MonSvcNT;
      navapsvc; Network Associates Log Service; NISSERV; NISUM; NJeeves;
      NOD32ControlCenter; NOD32Service; Norman; Norton Antivirus Server;
      NPFMntor; NProtectService; NSCTOP; nvcoas; NVCScheduler; nwclntc;
      nwclntd; nwclnte; nwclntf; nwclntg; nwclnth; NWService; Outbreak
      Manager; Outpost; OutpostFirewall; PASSRV; PAVFNSVR; Pavkre; PavProt;
      PavPrSrv; PAVSRV; PCCPFW; PersFW; PREVSRV; PSIMSVC; ravmon8; SAVFMSE;
      SAVScan; SBService; schscnt; SharedAccess; SmcService; SNDSrvc;
      SPBBCSvc; SweepNet; SWEEPSRV.SYS; Symantec AntiVirus Client; Symantec
      Core LC; Tmntsrv; V3MonNT; V3MonSvc; VexiraAntivirus; VisNetic; vsmon;
      wuauserv; XCOMM; ZANDA

 Injection –  It injects the following file into a process: %SYSDIR%\wiwshost.exe

    Process name:
   • %WINDIR%\Explorer.exe


Description inserted by Irina Boldea on Friday, September 9, 2005
Description updated by Irina Boldea on Thursday, September 22, 2005

Back . . . .