Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Bagle.CR
Date discovered:13/12/2012
Type:Trojan
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:35.554 Bytes
MD5 checksum:858B2DA472870C591BF4D0CDE91AC53B
VDF version:7.11.53.216

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Trojan.Tooso.P
   •  Mcafee: W32/Bagle.cj
   •  Kaspersky: Email-Worm.Win32.Bagle.da
   •  TrendMicro: TROJ_BAGLE.DA
   •  Bitdefender: Win32.Bagle.CJ@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Drops a malicious file
   • Lowers security settings
   • Registry modification


Right after execution it runs a windows application which will display the following window:


 Files It copies itself to the following location:
   • %SYSDIR%\winshost.exe



It renames the following files:

    •  CCSETMGR.EXE into C1CSETMGR.EXE
    •  CCEVTMGR.EXE into CC1EVTMGR.EXE
    •  NAVAPSVC.EXE into NAV1APSVC.EXE
    •  NPFMNTOR.EXE into NPFM1NTOR.EXE
    •  symlcsvc.exe into s1ymlcsvc.exe
    •  SPBBCSvc.exe into SP1BBCSvc.exe
    •  SNDSrvc.exe into SND1Srvc.exe
    •  ccApp.exe into ccA1pp.exe
    •  ccl30.dll into cc1l30.dll
    •  ccvrtrst.dll into ccv1rtrst.dll
    •  LUALL.EXE into LUAL1L.EXE
    •  AUPDATE.EXE into AUPD1ATE.EXE
    •  Luupdate.exe into Luup1date.exe
    •  LUINSDLL.DLL into LUI1NSDLL.DLL
    •  RuLaunch.exe into RuLa1unch.exe
    •  CMGrdian.exe into CM1Grdian.exe
    •  Mcshield.exe into Mcsh1ield.exe
    •  outpost.exe into outp1ost.exe
    •  Avconsol.exe into Avc1onsol.exe
    •  Vshwin32.exe into Vshw1in32.exe
    •  VsStat.exe into Vs1Stat.exe
    •  Avsynmgr.exe into Av1synmgr.exe
    •  kavmm.exe into kav12mm.exe
    •  Up2Date.exe into Up222Date.exe
    •  KAV.exe into K2A2V.exe
    •  avgcc.exe into avgc3c.exe
    •  avgemc.exe into avg23emc.exe
    •  zonealarm.exe into zo3nealarm.exe
    •  zatutor.exe into zatu6tor.exe
    •  zlavscan.dll into zl5avscan.dll
    •  zlclient.exe into zlcli6ent.exe
    •  isafe.exe into is5a6fe.exe
    •  cafix.exe into c6a5fix.exe
    •  vsvault.dll into vs6va5ult.dl
    •  av.dll into a5v.dll
    •  vetredir.dll into ve6tre5dir.dll



The following file is created:

%SYSDIR%\wiwshost.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Bagle.CQ.1




It tries to download a file:

– The locations are the following:
   • http://www.21ebu**********.com/osa6.gif
   • http://www.**********.net/osa6.gif
   • http://www.acs**********.com/osa6.gif
   • http://www.ag**********.hu/osa6.gif
   • http://www.a**********.com/.vn/osa6.gif
   • http://www.ang**********.de/osa6.gif
   • http://www.ascolf**********.com/osa6.gif
   • http://www.automobil**********.de/osa6.gif
   • http://www.ban**********.cn/osa6.gif
   • http://www.beall**********.com/osa6.gif
   • http://www.b**********.at/osa6.gif
   • http://www.bs-sec**********.de/osa6.gif
   • http://www.centroveste**********.it/osa6.gif
   • http://www.checko**********.nl/osa6.gif
   • http://www.**********project.com/osa6.gif
   • http://www.**********wanjia.com/osa6.gif
   • http://www.czwa**********.com/osa6.gif
   • http://www.**********net.hu/osa6.gif
   • http://www.design**********.org/osa6.gif
   • http://www.dgy.com/**********/osa6.gif
   • http://www.**********-fliesen.de/osa6.gif
   • http://www.discoteka-**********.com/osa6.gif
   • http://www.**********-invest.com/osa6.gif
   • http://www.ea**********.com/osa6.gif
   • http://www.**********club.com/osa6.gif
   • http://www.eh**********.hu/osa6.gif
   • http://www.elvis**********.ch/osa6.gif
   • http://www.engelhard**********.de/osa6.gif
   • http://www.exter**********.hu/osa6.gif
   • http://www.fahrschule**********.de/osa6.gif
   • http://www.**********-lesser.de/osa6.gif
   • http://www.ferme**********.com/osa6.gif
   • http://www.festivalteatro**********.com/osa6.gif
   • http://www.form**********.at/osa6.gif
   • http://www.foto**********.fi/osa6.gif
   • http://www.**********trox.com/.tw/osa6.gif
   • http://www.gepe**********.org/osa6.gif
   • http://www.gimex-**********.de/osa6.gif
   • http://www.**********home.com/.tw/osa6.gif
   • http://www.**********mzn.cz/osa6.gif
   • http://www.**********service.be/osa6.gif
   • http://www.id**********.de/osa6.gif
   • http://www.**********cs.be/osa6.gif
   • http://www.**********er.cl/osa6.gif
   • http://www.inside-**********.de/osa6.gif
   • http://www.**********oli.sk/osa6.gif
   • http://www.**********-american.com/osa6.gif
   • http://www.jeo**********.com/osa6.gif
   • http://www.jing**********.com/osa6.gif
   • http://www.**********-bo.com/osa6.gif
   • http://www.king**********.ch/osa6.gif
   • http://www.marke**********.com/osa6.gif
   • http://www.mega**********.net/osa6.gif
   • http://www.**********ild.at/osa6.gif
   • http://www.ni**********.de/osa6.gif
   • http://www.**********gmbh.com/osa6.gif
   • http://www.**********va.com/.pe/osa6.gif
   • http://www.**********24.ee/osa6.gif
   • http://www.**********link.net/osa6.gif
   • http://www.**********-alliance.de/osa6.gif
   • http://www.pre**********.ch/osa6.gif
   • http://www.renega**********.com/osa6.gif
   • http://www.repl**********.com/osa6.gif
   • http://www.**********buecher.de/osa6.gif
   • http://www.sanjin**********.com/osa6.gif
   • http://www.scvanra**********.nl/osa6.gif
   • http://www.slova**********.sk/osa6.gif
   • http://www.**********photo.com/osa6.gif
   • http://www.socie**********.de/osa6.gif
   • http://www.**********co.org/osa6.gif
   • http://www.soft**********.ru/osa6.gif
   • http://www.so**********.org/osa6.gif
   • http://www.spac**********.biz/osa6.gif
   • http://www.speedcom.**********.pl/osa6.gif
   • http://www.**********-in-steel.at/osa6.gif
   • http://www.spo**********.de/osa6.gif
   • http://www.sport**********.com/osa6.gif
   • http://www.**********y.az/osa6.gif
   • http://www.**********solutions.com/osa6.gif
   • http://www.st-paulus-**********.de/osa6.gif
   • http://www.st**********.com/osa6.gif
   • http://www.steri**********.com/osa6.gif
   • http://www.students.**********.ac.uk/osa6.gif
   • http://www.**********planet.com/osa6.gif
   • http://www.sun**********.com/osa6.gif
   • http://www.super**********.com/osa6.gif
   • http://www.**********eb.cz/osa6.gif
   • http://www.syd**********.com/osa6.gif
   • http://www.**********iheng.com/osa6.gif
   • http://www.**********campus.net/osa6.gif
   • http://www.tec**********.de/osa6.gif
   • http://www.**********-mutan.com/osa6.gif
   • http://www.thai**********.com/osa6.gif
   • http://www.**********venture.com/osa6.gif
   • http://www.**********funkiest.com/osa6.gif
   • http://www.**********step.tv/osa6.gif
   • http://www.thetexas**********.com/osa6.gif
   • http://www.tmhcsd1987.**********.pl/osa6.gif
   • http://www.tous**********.be/osa6.gif
   • http://www.tr**********.com/osa6.gif
   • http://www.travel**********.com/osa6.gif
   • http://www.**********.dobrcz.pl/osa6.gif
   • http://www.tri**********.cz/osa6.gif
   • http://www.**********tonic.ch/osa6.gif
   • http://www.tv-**********.com/osa6.gif
   • http://www.**********-cassinadepecchi.it/osa6.gif
   • http://www.uni**********.sk/osa6.gif
   • http://www.**********chair.com/osa6.gif
   • http://www.u**********.hu/osa6.gif
   • http://www.**********senelektro.be/osa6.gif
   • http://www.vet**********.com/osa6.gif
   • http://www.**********meloni.com/osa6.gif
   • http://www.**********nn.vn/osa6.gif
   • http://www.**********vjiet.ac.in/osa6.gif
   • http://www.vote2**********.com/osa6.gif
   • http://www.vw.**********-bank.pl/osa6.gif
   • http://www.wamba.**********.au/osa6.gif
   • http://www.wdlp.**********.za/osa6.gif
   • http://www.**********corp.com/osa6.gif
   • http://www.**********productions.com/osa6.gif
   • http://www.wilson**********.com/osa6.gif
   • http://www.wind**********.pl/osa6.gif
   • http://www.**********-industries.com/osa6.gif
   • http://www.**********old.pl/osa6.gif
   • http://www.womb**********.com/osa6.gif
   • http://www.**********reme.cz/osa6.gif
   • http://www.xian**********.net/osa6.gif
   • http://www.**********pie.com/osa6.gif
   • http://www.xm**********.com/osa6.gif
   • http://www.xo**********.com/osa6.gif
   • http://www.yannick-**********.be/osa6.gif
   • http://www.**********download.com/osa6.gif
   • http://www.yester**********.za
   • http://www.**********kj.com/osa6.gif
   • http://www.zakazcd.**********.ua/osa6.gif
   • http://www.**********ftware.com/osa6.gif
   • http://www.**********tek.co.za/osa6.gif
   • http://www.zor**********.az/osa6.gif
   • http://www.**********sala.edu.sk/osa6.gif
It is saved on the local hard drive under: %WINDIR%\_re_file.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Bagle.DE.3.A

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "winshost.exe"="%SYSDIR%\winshost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "winshost.exe"="%SYSDIR%\winshost.exe"



The values of the following registry keys are removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • APVXDWIN
   • KAV50
   • avg7_cc
   • avg7_emc
   • Zone Labs Client
   • Symantec NetDriver Monitor
   • ccApp
   • NAV CfgWiz
   • SSC_UserPrompt
   • McAfee Guardian

–  [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • McAfee.InstantUpdate.Monitor
   • internat.exe



The following registry key is added:

– [HKCU\Software\FirstRun]
   • "FirstRunRR"=dword:00000001

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


Attachment:
The filename of the attachment is one of the following:
   • new__price.zip
   • new_price.zip
   • newprice.zip
   • price2.zip
   • 09_price.zip
   • price_09.zip

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.



The modified host file will look like this:


 Process termination List of processes that are terminated:
   • NUPGRADE.EXE; MCUPDATE.EXE; ATUPDATER.EXE; AUPDATE.EXE; AUTOTRACE.EXE;
      AUTOUPDATE.EXE; FIREWALL.EXE; ATUPDATER.EXE; LUALL.EXE; DRWEBUPW.EXE;
      AUTODOWN.EXE; NUPGRADE.EXE; OUTPOST.EXE; ICSSUPPNT.EXE; ICSUPP95.EXE;
      ESCANH95.EXE; AVXQUAR.EXE; ESCANHNT.EXE; UPGRADER.EXE; AVXQUAR.EXE;
      AVWUPD32.EXE; AVPUPD.EXE; CFIAUDIT.EXE; UPDATE.EXE


List of services that are disabled:
   • wuauserv (Windows Automatic Updates); SharedAccess (Windows Firewall /
      Internet Connection Sharing); Alerter; PAVSRV; PAVFNSVR; PSIMSVC;
      Pavkre; PavProt; PREVSRV; PavPrSrv; SharedAccess; NPFMntor; Outpost
      Firewall; SAVScan; SBService; Symantec Core LC; ccEvtMgr; SNDSrvc;
      ccPwdSvc; ccSetMgr.exe; SPBBCSvc; KLBLMain; avg7alrt; avg7updsvc;
      vsmon; CAISafe; avpcc; fsbwsys; backweb client - 4476822; fsdfwd;
      F-Secure Gatekeeper Handler Starter; FSMA; KAVMonitorService;
      navapsvc; NProtectService; Norton Antivirus Server; VexiraAntivirus;
      dvpinit; dvpapi; schscnt; BackWeb Client - 7681197; F-Secure
      Gatekeeper Handler Starter; FSMA; AVPCC; KAVMonitorService; Norman
      NJeeves; NVCScheduler; nvcoas; Norman ZANDA; PASSRV; SweepNet;
      SWEEPSRV.SYS; NOD32ControlCenter; NOD32Service; PCCPFW; Tmntsrv;
      AvxIni; XCOMM; ravmon8; SmcService; BlackICE; PersFW; McAfee Firewall;
      OutpostFirewall; NWService; NISUM; NISSERV; vsmon; nwclnth; nwclntg;
      nwclnte; nwclntf; nwclntd; nwclntc; navapsvc; SAVScan; kavsvc;
      DefWatch; Symantec AntiVirus Client; NSCTOP; Symantec Core LC;
      SAVScan; SAVFMSE; ccEvtMgr; navapsvc; ccSetMgr; VisNetic AntiVirus
      Plug-in; McShield; AlertManger; McAfeeFramework; AVExch32Service;
      AVUPDService; McTaskManager; Network Associates Log Service; Outbreak
      Manager; MCVSRte; mcupdmgr.exe; AvgServ; AvgCore; AvgFsh; awhost32;
      Ahnlab task Scheduler; MonSvcNT; V3MonNT; V3MonSvc; FSDFWD

 Injection –  It injects the following file into a process: wiwshost.exe

    Process name:
   • explorer.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Oliver Auerbach on Monday, September 19, 2005
Description updated by Victor Tone on Friday, September 23, 2005

Back . . . .