Virus:Worm/Bagle.GL
Date discovered:22/06/2006
Type:Worm
In the wild:Yes
Reported Infections:Medium to high
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:No
File size:94.126 Bytes
MD5 checksum:964ecec4462fac5cce157b7bf98fcf25
VDF version:6.35.00.56

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32.Beagle.FG@mm
   •  Mcafee: W32/Bagle.fc@MM
   •  Kaspersky: Email-Worm.Win32.Bagle.gl
   •  Bitdefender: Win32.Bagle.GL@mm


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Drops a file
   • Drops a malicious file
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification


It displays the content of a created pictorial file:


 Files It copies itself to the following location:
   • %APPDATA%\hidn\hidn1.exe



The following files are created:

– It creates the following archive containing a copy of the malware:
   • c:\temp.zip

– %APPDATA%\hidn\m_hook.sys Further investigation pointed out that this file is malware, too. Detected as: Worm/Bagle.GL.1

– c:\error.gif



It tries to download some files:

– The locations are the following:
   • http://ujscie.one.pl/**********
   • http://1point2.iae.nl/**********
   • http://appaloosa.no/**********
   • http://apromed.com/**********
   • http://arborfolia.com/**********
   • http://pawlacz.com/**********
   • http://areal-realt.ru/**********
   • http://bitel.ru/**********
   • http://yetii.no-ip.com/**********
   • http://art4u1.superhost.pl/**********
   • http://www.artbed.pl/**********
   • http://art-bizar.foxnet.pl/**********
   • http://www.jonogueira.com/**********
   • http://asdesign.cz/**********
   • http://ftp-dom.earthlink.net/**********
   • http://www.aureaorodeley.com/**********
   • http://www.autoekb.ru/**********
   • http://www.autovorota.ru/**********
   • http://avenue.ee/**********
   • http://www.avinpharma.ru/**********
   • http://ouarzazateservices.com/**********
   • http://stats-adf.altadis.com/**********
   • http://bartex-cit.com.pl/**********
   • http://bazarbekr.sk/**********
   • http://gnu.univ.gda.pl/**********
   • http://bid-usa.com/**********
   • http://biliskov.com/**********
   • http://biomedpel.cz/**********
   • http://blackbull.cz/**********
   • http://bohuminsko.cz/**********
   • http://bonsai-world.com.au/**********
   • http://bpsbillboards.com/**********
   • http://cadinformatics.com/**********
   • http://canecaecia.com/**********
   • http://www.castnetnultimedia.com/**********
   • http://compucel.com/**********
   • http://continentalcarbonindia.com/**********
   • http://ceramax.co.kr/**********
   • http://prime.gushi.org/**********
   • http://www.chapisteriadaniel.com/**********
   • http://charlesspaans.com/**********
   • http://chatsk.wz.cz/**********
   • http://www.chittychat.com/**********
   • http://checkalertusa.com/**********
   • http://cibernegocios.com.ar/**********
   • http://5050clothing.com/**********
   • http://cof666.shockonline.net/**********
   • http://comaxtechnologies.net/**********
   • http://concellodesandias.com/**********
   • http://www.cort.ru/**********
   • http://donchef.com/**********
   • http://www.crfj.com/**********
   • http://kremz.ru/**********
   • http://dev.jintek.com/**********
   • http://foxvcoin.com/**********
   • http://uwua132.org/**********
   • http://v-v-kopretiny.ic.cz/**********
   • http://erich-kaestner-schule-donaueschingen.de/**********
   • http://vanvakfi.com/**********
   • http://axelero.hu/**********
   • http://kisalfold.com/**********
   • http://vega-sps.com/**********
   • http://vidus.ru/**********
   • http://viralstrategies.com/**********
   • http://svatba.viskot.cz/**********
   • http://Vivamodelhobby.com/**********
   • http://vkinfotech.com/**********
   • http://vytukas.com/**********
   • http://waisenhaus-kenya.ch/**********
   • http://watsrisuphan.org/**********
   • http://www.ag.ohio-state.edu/**********
   • http://wbecanada.com/**********
   • http://calamarco.com/**********
   • http://vproinc.com/**********
   • http://grupdogus.de/**********
   • http://knickimbit.de/**********
   • http://dogoodesign.ch/**********
   • http://systemforex.de/**********
   • http://zebrachina.net/**********
   • http://www.walsch.de/**********
   • http://hotchillishop.de/**********
   • http://innovation.ojom.net/**********
   • http://massgroup.de/**********
   • http://web-comp.hu/**********
   • http://webfull.com/**********
   • http://welvo.com/**********
   • http://www.ag.ohio-state.edu/**********
   • http://poliklinika-vajnorska.sk/**********
   • http://wvpilots.org/**********
   • http://www.kersten.de/**********
   • http://www.kljbwadersloh.de/**********
   • http://www.voov.de/**********
   • http://www.wchat.cz/**********
   • http://www.wg-aufbau-bautzen.de/**********
   • http://www.wzhuate.com/**********
   • http://zsnabreznaknm.sk/**********
   • http://xotravel.ru/**********
   • http://ilikesimple.com/**********
   • http://yeniguntugla.com/**********
It is saved on the local hard drive under: %SYSDIR%\re_file.exe

– The locations are the following:
   • http://www.titanmotors.com/images/1/**********
   • http://veranmaisala.com/1/**********
   • http://wklight.nazwa.pl/1/**********
   • http://yongsan24.co.kr/1/**********
   • http://accesible.cl/1/**********
   • http://hotelesalba.com/1/**********
   • http://amdlady.com/1/**********
   • http://inca.dnetsolution.net/1/**********
   • http://www.auraura.com/1/**********
   • http://avataresgratis.com/1/**********
   • http://beyoglu.com.tr/1/**********
   • http://brandshock.com/1/**********
   • http://www.buydigital.co.kr/1/**********
   • http://camaramafra.sc.gov.br/1/**********
   • http://camposequipamentos.com.br/1/**********
   • http://cbradio.sos.pl/1/**********
   • http://c-d-c.com.au/1/**********
   • http://www.klanpl.com/1/**********
   • http://coparefrescos.stantonstreetgroup.com/1/**********
   • http://creainspire.com/1/**********
   • http://desenjoi.com.br/1/**********
   • http://www.inprofile.gr/1/**********
   • http://www.diem.cl/1/**********
   • http://www.discotecapuzzle.com/1/**********
It is saved on the local hard drive under: %WINDIR%\elist.xpt

 Registry The following registry key is added in order to run the process after reboot:

– HKCU\Software\Windows\CurrentVersion\Run
   • "drv_st_key"="%APPDATA%\hidn\hidn1.exe"



The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\m_hook]
   • "Type"=dword:00000001
     "Start"=dword:00000003
     "ErrorControl"=dword:00000000
     "ImagePath"="\??\%APPDATA%\hidn\m_hook.sys"
     "DisplayName"="Empty"

– [HKLM\SYSTEM\CurrentControlSet\Services\m_hook\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\m_hook\Enum]
   • "0"="Root\\LEGACY_M_HOOK\\0000"
     "Count"=dword:00000001
     "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK]
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\0000]
   • "Service"="m_hook"
     "Legacy"=dword:00000001
     "ConfigFlags"=dword:00000000
     "Class"="LegacyDriver"
     "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
     "DeviceDesc"="Empty"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\0000\
   Control]
   • "*NewlyCreated*"=dword:00000000
     "ActiveService"="m_hook"



The following registry key including all values and subkeys is removed:
   • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot



The following registry key is added:

– [HKCU\Software\FirstRuxzx]
   • "FirstRun"=dword:00000001



The following registry keys are changed:

– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
   New value:
   • "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\Alerter]
   New value:
   • "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio]
   New value:
   • "Start"=dword:00000004

Deactivate Windows Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   New value:
   • "Start"=dword:00000004

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
– Gathered addresses from the internet.


Subject:
One of the following:
   • Ales; Alice; Alyce; Andrew; Androw; Androwe; Ann; Anna; Anne; Annes;
      Anthonie; Anthony; Anthonye; Avice; Avis; Bennet; Bennett; Christean;
      Christian; Constance; Cybil; Daniel; Danyell; Dorithie; Dorothee;
      Dorothy; Edmond; Edmonde; Edmund; Edward; Edwarde; Elizabeth;
      Elizabethe; Ellen; Ellyn; Emanual; Emanuel; Emanuell; Ester; Frances;
      Francis; Fraunces; Gabriell; Geoffraie; George; Grace; Harry; Harrye;
      Henrie; Henry; Henrye; Hughe; Humphrey; Humphrie; Isabel; Isabell;
      James; Jane; Jeames; Jeffrey; Jeffrye; Joane; Johen; John; Josias;
      Judeth; Judith; Judithe; Katherine; Katheryne; Leonard; Leonarde;
      Margaret; Margarett; Margerie; Margerye; Margret; Margrett; Marie;
      Martha; Mary; Marye; Michael; Mychaell; Nathaniel; Nathaniell;
      Nathanyell; Nicholas; Nicholaus; Nycholas; Peter; Ralph; Rebecka;
      Richard; Richarde; Robert; Roberte; Roger; Rose; Rycharde; Samuell;
      Sara; Sidney; Sindony; Stephen; Susan; Susanna; Suzanna; Sybell;
      Sybyll; Syndony; Thomas; Valentyne; William; Winifred; Wynefrede;
      Wynefreed; Wynnefreede



Body:
– Contains HTML code.

 
The body of the email is one of the following:
Sometimes it starts with one of the following:

   • I love you

   • To be beloved


Continued by one of the following:

   • archive password: %several random digits%

   • Password -- %several random digits%

   • Password is %several random digits%

   • Password: %several random digits%

   • The password is %several random digits%

   • Use password %several random digits% to open archive.

   • Zip password: %several random digits%


Attachment:
The filename of the attachment is constructed out of the following:

   • Ales
   • Alice
   • Alyce
   • Andrew
   • Androw
   • Androwe
   • Ann
   • Anna
   • Anne
   • Annes
   • Anthonie
   • Anthony
   • Anthonye
   • Avice
   • Avis
   • Bennet
   • Bennett
   • Christean
   • Christian
   • Constance
   • Cybil
   • Daniel
   • Danyell
   • Dorithie
   • Dorothee
   • Dorothy
   • Edmond
   • Edmonde
   • Edmund
   • Edward
   • Edwarde
   • Elizabeth
   • Elizabethe
   • Ellen
   • Ellyn
   • Emanual
   • Emanuel
   • Emanuell
   • Ester
   • Frances
   • Francis
   • Fraunces
   • Gabriell
   • Geoffraie
   • George
   • Grace
   • Harry
   • Harrye
   • Henrie
   • Henry
   • Henrye
   • Hughe
   • Humphrey
   • Humphrie
   • Isabel
   • Isabell
   • James
   • Jane
   • Jeames
   • Jeffrey
   • Jeffrye
   • Joane
   • Johen
   • John
   • Josias
   • Judeth
   • Judith
   • Judithe
   • Katherine
   • Katheryne
   • Leonard
   • Leonarde
   • Margaret
   • Margarett
   • Margerie
   • Margerye
   • Margret
   • Margrett
   • Marie
   • Martha
   • Mary
   • Marye
   • Michael
   • Mychaell
   • Nathaniel
   • Nathaniell
   • Nathanyell
   • Nicholas
   • Nicholaus
   • Nycholas
   • Peter
   • Ralph
   • Rebecka
   • Richard
   • Richarde
   • Robert
   • Roberte
   • Roger
   • Rose
   • Rycharde
   • Samuell
   • Sara
   • Sidney
   • Sindony
   • Stephen
   • Susan
   • Susanna
   • Suzanna
   • Sybell
   • Sybyll
   • Syndony
   • Thomas
   • Valentyne
   • William
   • Winifred
   • Wynefrede
   • Wynefreed
   • Wynnefreede

Continued by one of the following:
   • zip

The attachment is an archive containing a copy of the malware itself.



The email looks like the following:


 Mailing Gather addresses:
It gathers addresses by contacting the following websites:
   • http://www.titanmotors.com/images/1/**********
   • http://veranmaisala.com/1/**********
   • http://wklight.nazwa.pl/1/**********
   • http://yongsan24.co.kr/1/**********
   • http://accesible.cl/1/**********
   • http://hotelesalba.com/1/**********
   • http://amdlady.com/1/**********
   • http://inca.dnetsolution.net/1/**********
   • http://www.auraura.com/1/**********
   • http://avataresgratis.com/1/**********
   • http://beyoglu.com.tr/1/**********
   • http://brandshock.com/1/**********
   • http://www.buydigital.co.kr/1/**********
   • http://camaramafra.sc.gov.br/1/**********
   • http://camposequipamentos.com.br/1/**********
   • http://cbradio.sos.pl/1/**********
   • http://c-d-c.com.au/1/**********
   • http://www.klanpl.com/1/**********
   • http://coparefrescos.stantonstreetgroup.com/1/**********
   • http://creainspire.com/1/**********
   • http://desenjoi.com.br/1/**********
   • http://www.inprofile.gr/1/**********
   • http://www.diem.cl/1/**********
   • http://www.discotecapuzzle.com/1/**********


Resolving server names:
It has the ability to contact the DNS server:
   • 217.5.97.137

 Process termination List of processes that are terminated:
   • _AVP32.EXE; _AVPCC.EXE; _AVPM.EXE; a2guard.exe; aavshield.exe;
      AckWin32.exe; ADVCHK.EXE; AhnSD.exe; airdefense.exe; ALERTSVC.EXE;
      ALMon.exe; ALOGSERV.EXE; ALsvc.exe; amon.exe; Anti-Trojan.exe;
      AntiVirScheduler; AntiVirService; ANTS.EXE; apvxdwin.exe;
      APVXDWIN.EXE; Armor2net.exe; ashAvast.exe; ashDisp.exe; ashEnhcd.exe;
      ashMaiSv.exe; ashPopWz.exe; ashServ.exe; ashSimpl.exe; ashSkPck.exe;
      ashWebSv.exe; aswUpdSv.exe; ATCON.EXE; ATUPDATER.EXE; ATWATCH.EXE;
      AUPDATE.EXE; AUTODOWN.EXE; AUTOTRACE.EXE; AUTOUPDATE.EXE; avciman.exe;
      Avconsol.exe; AVENGINE.EXE; avgamsvr.exe; avgcc.exe; AVGCC32.EXE;
      AVGCTRL.EXE; avgemc.exe; avgfwsrv.exe; AVGNT.EXE; avgntdd; avgntmgr;
      AVGSERV.EXE; AVGUARD.EXE; avgupsvc.exe; avinitnt.exe; AvkServ.exe;
      AVKService.exe; AVKWCtl.exe; AVP.EXE; AVP32.EXE; avpcc.exe; avpm.exe;
      AVPUPD.EXE; AVSCHED32.EXE; avsynmgr.exe; AVWUPD32.EXE; AVWUPSRV.EXE;
      AVXMONITOR9X.EXE; AVXMONITORNT.EXE; AVXQUAR.EXE; BackWeb-4476822.exe;
      bdmcon.exe; bdnews.exe; bdoesrv.exe; bdss.exe; bdsubmit.exe;
      bdswitch.exe; blackd.exe; blackice.exe; cafix.exe; ccApp.exe;
      ccEvtMgr.exe; ccProxy.exe; ccSetMgr.exe; CFIAUDIT.EXE; ClamTray.exe;
      ClamWin.exe; Claw95.exe; Claw95cf.exe; cleaner.exe; cleaner3.exe;
      CliSvc.exe; CMGrdian.exe; cpd.exe; DefWatch.exe; DOORS.EXE;
      DrVirus.exe; drwadins.exe; drweb32w.exe; drwebscd.exe; DRWEBUPW.EXE;
      drwebupw.exe; DRWEBUPW.EXE; ESCANH95.EXE; ESCANHNT.EXE; ewidoctrl.exe;
      EzAntivirusRegistrationCheck.exe; F-AGNT95.EXE; F-PROT95.EXE;
      F-Sched.exe; F-StopW.EXE; FAMEH32.EXE; FAST.EXE; FCH32.EXE;
      filtnt.sys; FireSvc.exe; FireTray.exe; FIREWALL.EXE; fpavupdm.exe;
      frameworkservice.exe; freshclam.exe; FRW.EXE; fsav32.exe; fsavgui.exe;
      fsbwsys.exe; fsdfwd.exe; FSGK32.EXE; fsgk32st.exe; fsguiexe.exe;
      FSM32.EXE; FSMA32.EXE; FSMB32.EXE; fspex.exe; fssm32.exe;
      gcasDtServ.exe; gcasServ.exe; GIANTAntiSpywareMain.exe;
      GIANTAntiSpywareUpdater.exe; GUARD.EXE; GUARDGUI.EXE; GuardNT.exe;
      guardnt.sys; hidn.exe; HRegMon.exe; Hrres.exe; HSockPE.exe;
      HUpdate.EXE; iamapp.exe; iamserv.exe; ICLOAD95.EXE; ICLOADNT.EXE;
      ICMON.EXE; ICSSUPPNT.EXE; ICSUPP95.EXE; ICSUPPNT.EXE; IFACE.EXE;
      INETUPD.EXE; InocIT.exe; InoRpc.exe; InoRT.exe; InoTask.exe;
      InoUpTNG.exe; IOMON98.EXE; isafe.exe; ISATRAY.EXE; ISRV95.EXE;
      ISSVC.exe; JEDI.EXE; KAV.exe; kavmm.exe; KAVPF.exe; KavPFW.exe;
      KAVStart.exe; KAVSvc.exe; kavsvc.exe; KAVSvcUI.EXE; KMailMon.EXE;
      KPfwSvc.EXE; KWatch.EXE; livesrv.exe; LOCKDOWN2000.EXE; LogWatNT.exe;
      lpfw.exe; LUALL.EXE; LUCOMSERVER.EXE; LuComServer_2_5.EXE;
      lucomserver_2_6.exe; Luupdate.exe; MCAGENT.EXE; mcmnhdlr.exe;
      mcregwiz.exe; Mcshield.exe; MCUPDATE.EXE; mcupdate.exe; MCUPDATE.EXE;
      mcvsshld.exe; MINILOG.EXE; MONITOR.EXE; MonSysNT.exe; MOOLIVE.EXE;
      MpEng.exe; mpssvc.exe; MSMPSVC.exe; myAgtSvc.exe; myagttry.exe;
      navapsvc.exe; NAVAPW32.EXE; NavLu32.exe; NAVW32.EXE; NDD32.EXE;
      NeoWatchLog.exe; NeoWatchTray.exe; NISSERV; NISSERVNeoWatchTray.exe;
      NISUM.EXE; NMAIN.EXE; nod32.exe; nod32krn.exe; nod32kui.exe;
      NORMIST.EXE; notstart.exe; npavtray.exe; NPFMNTOR.EXE; npfmsg.exe;
      NPROTECT.EXE; NSCHED32.EXE; NSMdtr.exe; NssServ.exe; NssTray.exe;
      ntrtscan.exe; NTXconfig.exe; NUPGRADE.EXE; NVC95.EXE; Nvcod.exe;
      Nvcte.exe; Nvcut.exe; NWService.exe; OfcPfwSvc.exe; OUTPOST.EXE;
      PAV.EXE; PavFires.exe; PavFnSvr.exe; Pavkre.exe; PavProt.exe;
      pavProxy.exe; pavprsrv.exe; pavsrv51.exe; PAVSS.EXE; pccguide.exe;
      PCCIOMON.EXE; pccntmon.exe; PCCPFW.exe; PcCtlCom.exe; PCTAV.exe;
      PERSFW.EXE; pertsk.exe; PERVAC.EXE; PNMSRV.EXE; POP3TRAP.EXE;
      POPROXY.EXE; prevsrv.exe; PsImSvc.exe; QHM32.EXE; QHONLINE.EXE;
      QHONSVC.EXE; QHPF.EXE; qhwscsvc.exe; RavMon.exe; RavTimer.exe;
      Realmon.exe; REALMON95.EXE; Rescue.exe; rfwmain.exe; Rtvscan.exe;
      RTVSCN95.EXE; RuLaunch.exe; SAVAdminService.exe; SAVMain.exe;
      savprogress.exe; SAVScan.exe; SCAN32.EXE; ScanningProcess.exe;
      sched.exe; sdhelp.exe; SERVIC~1.EXE; SHSTAT.EXE; SiteCli.exe; smc.exe;
      SNDSrvc.exe; SPBBCSvc.exe; SPHINX.EXE; spiderml.exe; spidernt.exe;
      Spiderui.exe; SpybotSD.exe; SPYXX.EXE; SS3EDIT.EXE; stopsignav.exe;
      swAgent.exe; swdoctor.exe; SWNETSUP.EXE; symlcsvc.exe;
      SymProxySvc.exe; SymSPort.exe; SymWSC.exe; SYNMGR.EXE; TAUMON.EXE;
      TBMon.exe; TC.EXE; tca.exe; TCM.EXE; TDS-3.EXE; TeaTimer.exe;
      TFAK.EXE; THAV.EXE; THSM.EXE; Tmas.exe; tmlisten.exe; Tmntsrv.exe;
      TmPfw.exe; tmproxy.exe; TNBUtil.exe; TRJSCAN.EXE; Up2Date.exe;
      UPDATE.EXE; UpdaterUI.exe; upgrader.exe; upgrepl.exe; Vba32ECM.exe;
      Vba32ifs.exe; vba32ldr.exe; Vba32PP3.exe; VBSNTW.exe; vchk.exe;
      vcrmon.exe; VetTray.exe; VirusKeeper.exe; VPTRAY.EXE; vrfwsvc.exe;
      VRMONNT.EXE; vrmonsvc.exe; vrrw32.exe; VSECOMR.EXE; Vshwin32.exe;
      vsmon.exe; vsserv.exe; VsStat.exe; WATCHDOG.EXE; WebProxy.exe;
      Webscanx.exe; WEBTRAP.EXE; WGFE95.EXE; Winaw32.exe; winroute.exe;
      winss.exe; winssnotify.exe; WRADMIN.EXE; WRCTRL.EXE; xcommsvr.exe;
      zatutor.exe; ZAUINST.EXE; zlclient.exe; zonealarm.exe


 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • smtp.google.com

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own files
– Its own process
– Its own registry key

– The following files:
   • shared; hidn; hidn.exe; hidn1.exe; m_hook.sys; _AVP32.EXE; _AVPCC.EXE;
      _AVPM.EXE; a2guard.exe; aavshield.exe; AckWin32.exe; ADVCHK.EXE;
      AhnSD.exe; airdefense.exe; ALERTSVC.EXE; ALMon.exe; ALOGSERV.EXE;
      ALsvc.exe; amon.exe; Anti-Trojan.exe; AntiVirScheduler;
      AntiVirService; ANTS.EXE; apvxdwin.exe; APVXDWIN.EXE; Armor2net.exe;
      ashAvast.exe; ashDisp.exe; ashEnhcd.exe; ashMaiSv.exe; ashPopWz.exe;
      ashServ.exe; ashSimpl.exe; ashSkPck.exe; ashWebSv.exe; aswUpdSv.exe;
      ATCON.EXE; ATUPDATER.EXE; ATWATCH.EXE; AUPDATE.EXE; AUTODOWN.EXE;
      AUTOTRACE.EXE; AUTOUPDATE.EXE; avciman.exe; Avconsol.exe;
      AVENGINE.EXE; avgamsvr.exe; avgcc.exe; AVGCC32.EXE; AVGCTRL.EXE;
      avgemc.exe; avgfwsrv.exe; AVGNT.EXE; avgntdd; avgntmgr; AVGSERV.EXE;
      AVGUARD.EXE; avgupsvc.exe; avinitnt.exe; AvkServ.exe; AVKService.exe;
      AVKWCtl.exe; AVP.EXE; AVP32.EXE; avpcc.exe; avpm.exe; AVPUPD.EXE;
      AVSCHED32.EXE; avsynmgr.exe; AVWUPD32.EXE; AVWUPSRV.EXE;
      AVXMONITOR9X.EXE; AVXMONITORNT.EXE; AVXQUAR.EXE; BackWeb-4476822.exe;
      bdmcon.exe; bdnews.exe; bdoesrv.exe; bdss.exe; bdsubmit.exe;
      bdswitch.exe; blackd.exe; blackice.exe; cafix.exe; ccApp.exe;
      ccEvtMgr.exe; ccProxy.exe; ccSetMgr.exe; CFIAUDIT.EXE; ClamTray.exe;
      ClamWin.exe; Claw95.exe; Claw95cf.exe; cleaner.exe; cleaner3.exe;
      CliSvc.exe; CMGrdian.exe; cpd.exe; DefWatch.exe; DOORS.EXE;
      DrVirus.exe; drwadins.exe; drweb32w.exe; drwebscd.exe; DRWEBUPW.EXE;
      drwebupw.exe; DRWEBUPW.EXE; ESCANH95.EXE; ESCANHNT.EXE; ewidoctrl.exe;
      EzAntivirusRegistrationCheck.exe; F-AGNT95.EXE; F-PROT95.EXE;
      F-Sched.exe; F-StopW.EXE; FAMEH32.EXE; FAST.EXE; FCH32.EXE;
      filtnt.sys; FireSvc.exe; FireTray.exe; FIREWALL.EXE; fpavupdm.exe;
      frameworkservice.exe; freshclam.exe; FRW.EXE; fsav32.exe; fsavgui.exe;
      fsbwsys.exe; fsdfwd.exe; FSGK32.EXE; fsgk32st.exe; fsguiexe.exe;
      FSM32.EXE; FSMA32.EXE; FSMB32.EXE; fspex.exe; fssm32.exe;
      gcasDtServ.exe; gcasServ.exe; GIANTAntiSpywareMain.exe;
      GIANTAntiSpywareUpdater.exe; GUARD.EXE; GUARDGUI.EXE; GuardNT.exe;
      guardnt.sys; hidn.exe; HRegMon.exe; Hrres.exe; HSockPE.exe;
      HUpdate.EXE; iamapp.exe; iamserv.exe; ICLOAD95.EXE; ICLOADNT.EXE;
      ICMON.EXE; ICSSUPPNT.EXE; ICSUPP95.EXE; ICSUPPNT.EXE; IFACE.EXE;
      INETUPD.EXE; InocIT.exe; InoRpc.exe; InoRT.exe; InoTask.exe;
      InoUpTNG.exe; IOMON98.EXE; isafe.exe; ISATRAY.EXE; ISRV95.EXE;
      ISSVC.exe; JEDI.EXE; KAV.exe; kavmm.exe; KAVPF.exe; KavPFW.exe;
      KAVStart.exe; KAVSvc.exe; kavsvc.exe; KAVSvcUI.EXE; KMailMon.EXE;
      KPfwSvc.EXE; KWatch.EXE; livesrv.exe; LOCKDOWN2000.EXE; LogWatNT.exe;
      lpfw.exe; LUALL.EXE; LUCOMSERVER.EXE; LuComServer_2_5.EXE;
      lucomserver_2_6.exe; Luupdate.exe; MCAGENT.EXE; mcmnhdlr.exe;
      mcregwiz.exe; Mcshield.exe; MCUPDATE.EXE; mcupdate.exe; MCUPDATE.EXE;
      mcvsshld.exe; MINILOG.EXE; MONITOR.EXE; MonSysNT.exe; MOOLIVE.EXE;
      MpEng.exe; mpssvc.exe; MSMPSVC.exe; myAgtSvc.exe; myagttry.exe;
      navapsvc.exe; NAVAPW32.EXE; NavLu32.exe; NAVW32.EXE; NDD32.EXE;
      NeoWatchLog.exe; NeoWatchTray.exe; NISSERV; NISSERVNeoWatchTray.exe;
      NISUM.EXE; NMAIN.EXE; nod32.exe; nod32krn.exe; nod32kui.exe;
      NORMIST.EXE; notstart.exe; npavtray.exe; NPFMNTOR.EXE; npfmsg.exe;
      NPROTECT.EXE; NSCHED32.EXE; NSMdtr.exe; NssServ.exe; NssTray.exe;
      ntrtscan.exe; NTXconfig.exe; NUPGRADE.EXE; NVC95.EXE; Nvcod.exe;
      Nvcte.exe; Nvcut.exe; NWService.exe; OfcPfwSvc.exe; OUTPOST.EXE;
      PAV.EXE; PavFires.exe; PavFnSvr.exe; Pavkre.exe; PavProt.exe;
      pavProxy.exe; pavprsrv.exe; pavsrv51.exe; PAVSS.EXE; pccguide.exe;
      PCCIOMON.EXE; pccntmon.exe; PCCPFW.exe; PcCtlCom.exe; PCTAV.exe;
      PERSFW.EXE; pertsk.exe; PERVAC.EXE; PNMSRV.EXE; POP3TRAP.EXE;
      POPROXY.EXE; prevsrv.exe; PsImSvc.exe; QHM32.EXE; QHONLINE.EXE;
      QHONSVC.EXE; QHPF.EXE; qhwscsvc.exe; RavMon.exe; RavTimer.exe;
      Realmon.exe; REALMON95.EXE; Rescue.exe; rfwmain.exe; Rtvscan.exe;
      RTVSCN95.EXE; RuLaunch.exe; SAVAdminService.exe; SAVMain.exe;
      savprogress.exe; SAVScan.exe; SCAN32.EXE; ScanningProcess.exe;
      sched.exe; sdhelp.exe; SERVIC~1.EXE; SHSTAT.EXE; SiteCli.exe; smc.exe;
      SNDSrvc.exe; SPBBCSvc.exe; SPHINX.EXE; spiderml.exe; spidernt.exe;
      Spiderui.exe; SpybotSD.exe; SPYXX.EXE; SS3EDIT.EXE; stopsignav.exe;
      swAgent.exe; swdoctor.exe; SWNETSUP.EXE; symlcsvc.exe;
      SymProxySvc.exe; SymSPort.exe; SymWSC.exe; SYNMGR.EXE; TAUMON.EXE;
      TBMon.exe; TC.EXE; tca.exe; TCM.EXE; TDS-3.EXE; TeaTimer.exe;
      TFAK.EXE; THAV.EXE; THSM.EXE; Tmas.exe; tmlisten.exe; Tmntsrv.exe;
      TmPfw.exe; tmproxy.exe; TNBUtil.exe; TRJSCAN.EXE; Up2Date.exe;
      UPDATE.EXE; UpdaterUI.exe; upgrader.exe; upgrepl.exe; Vba32ECM.exe;
      Vba32ifs.exe; vba32ldr.exe; Vba32PP3.exe; VBSNTW.exe; vchk.exe;
      vcrmon.exe; VetTray.exe; VirusKeeper.exe; VPTRAY.EXE; vrfwsvc.exe;
      VRMONNT.EXE; vrmonsvc.exe; vrrw32.exe; VSECOMR.EXE; Vshwin32.exe;
      vsmon.exe; vsserv.exe; VsStat.exe; WATCHDOG.EXE; WebProxy.exe;
      Webscanx.exe; WEBTRAP.EXE; WGFE95.EXE; Winaw32.exe; winroute.exe;
      winss.exe; winssnotify.exe; WRADMIN.EXE; WRCTRL.EXE; xcommsvr.exe;
      zatutor.exe; ZAUINST.EXE; zlclient.exe; zonealarm.exe

– The following directories:
   • shared
   • hidn
   • hidn.exe
   • hidn1.exe
   • m_hook.sys


Method used:
    • Hidden from Windows API

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Ivanes on Thursday, June 22, 2006
Description updated by Andrei Ivanes on Wednesday, June 28, 2006

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.