TR/Bagle.CU - Trojan

See also

Summary

Full description

Statistics

Virus:	TR/Bagle.CU
Date discovered:	20/09/2005
Type:	Trojan
In the wild:	Yes
Reported Infections:	Medium
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	35.146 Bytes
MD5 checksum:	a543640698380e7a3fe5607cfc42304c
VDF version:	6.32.0.21

General Method of propagation:
   • No own spreading routine

Aliases:
   • Symantec: Trojan.Tooso.P
   • Mcafee: W32/Bagle.cl
   • Kaspersky: Email-Worm.Win32.Bagle.de
   • TrendMicro: TROJ_BAGLE.DA
   • Bitdefender: Win32.Bagle.CZ@mm

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Downloads a file
   • Drops a malicious file
   • Lowers security settings
   • Registry modification

Right after execution it runs a windows application which will display the following window:

Files It copies itself to the following location:
   • %SYSDIR%\winshost.exe

It renames the following files:

    • AUPDATE.EXE into AUPD1ATE.EXE
    • av.dll into a5v.dll
    • Avconsol.exe into Avc1onsol.exe
    • avgcc.exe into avgc3c.exe
    • avgemc.exe into avg23emc.exe
    • Avsynmgr.exe into Av1synmgr.exe
    • cafix.exe into c6a5fix.exe
    • ccApp.exe into ccA1pp.exe
    • CCEVTMGR.EXE into C1EVTMGR.EXE
    • ccl30.dll into cc1l30.dll
    • CCSETMGR.EXE into C1CSETMGR.EXE
    • ccvrtrst.dll into ccv1rtrst.dll
    • CMGrdian.exe into CM1Grdian.exe
    • isafe.exe into is5a6fe.exe
    • KAV.exe into K2A2V.exe
    • kavmm.exe into kav12mm.exe
    • LUALL.EXE into LUAL1L.EXE
    • LUINSDLL.DLL into LUI1NSDLL.DLL
    • Luupdate.exe into Luup1date.exe
    • Mcshield.exe into Mcsh1ield.exe
    • NAVAPSVC.EXE into NAV1APSVC.EXE
    • NPFMNTOR.EXE into NPFM1NTOR.EXE
    • outpost.exe into outp1ost.exe
    • RuLaunch.exe into RuLa1unch.exe
    • SNDSrvc.exe into SND1Srvc.exe
    • SPBBCSvc.exe into SP1BBCSvc.exe
    • symlcsvc.exe into s1ymlcsvc.exe
    • Up2Date.exe into Up222Date.exe
    • vetredir.dll into ve6tre5dir.dll
    • Vshwin32.exe into Vshw1in32.exe
    • VsStat.exe into Vs1Stat.exe
    • vsvault.dll into vs6va5ult.dll
    • zlclient.exe into zlcli6ent.exe
    • zonealarm.exe into zo3nealarm.exe
    • zatutor.exe into zatu6tor.exe
    • zlavscan.dll into zl5avscan.dll

The following file is created:

– %SYSDIR%\wiwshost.exe Further investigation pointed out that this file is malware, too. Detected as: TR\Bagle.CU.1

It tries to download some files:

– The locations are the following:
   • www.**********build.com/osa6.gif
   • www.**********.net/osa6.gif
   • www.**********hio.com/osa6.gif
   • www.**********.hu/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********bras.com/osa6.gif
   • www.**********online.de/osa6.gif
   • www.**********.cn/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.at/osa6.gif
   • www.**********ecurity.de/osa6.gif
   • www.**********ecasa.it/osa6.gif
   • www.**********media.nl/osa6.gif
   • www.**********project.com/osa6.gif
   • www.**********wanjia.com/osa6.gif
   • www.**********anqing.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.hu/osa6.gif
   • www.**********gong.org/osa6.gif
   • www.**********.com.cn/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.com.pl/osa6.gif
   • www.**********.com.cn/osa6.gif
   • www.**********.com.cn/osa6.gif
   • www.**********.hu/osa6.gif
   • www.**********hardtgmbh.de/osa6.gif
   • www.**********.hu/osa6.gif
   • www.**********chule-herb.de/osa6.gif
   • www.**********lesser.de/osa6.gif
   • www.**********garoy.com/osa6.gif
   • www.**********occidente.com/osa6.gif
   • www.**********.at/osa6.gif
   • www.**********.fi/osa6.gif
   • www.**********.com.tw/osa6.gif
   • www.**********ters.org/osa6.gif
   • www.**********zeuge.de/osa6.gif
   • www.**********.com.tw/osa6.gif
   • www.**********.cz/osa6.gif
   • www.**********service.be/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.be/osa6.gif
   • www.**********.cl/osa6.gif
   • www.**********tgweb.de/osa6.gif
   • www.**********.sk/osa6.gif
   • www.**********american.com/osa6.gif
   • www.**********shinn.com/osa6.gif
   • www.**********gjuok.com/osa6.gif
   • www.**********bo.com/osa6.gif
   • www.**********.ch/osa6.gif
   • www.**********rketvw.com/osa6.gif
   • www.**********.net/osa6.gif
   • www.**********.at/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********mbh.com/osa6.gif
   • www.**********.com.pe/osa6.gif
   • www.**********.ee/osa6.gif
   • www.**********.net/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.ch/osa6.gif
   • www.**********gaderc.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********buecher.de/osa6.gif
   • www.**********nyuan.com/osa6.gif
   • www.**********waaij.nl/osa6.gif
   • www.**********anet.sk/osa6.gif
   • www.**********photo.com/osa6.gif
   • www.**********etaet.de/osa6.gif
   • www.**********.org/osa6.gif
   • www.**********jor.ru/osa6.gif
   • www.**********.org/osa6.gif
   • www.**********.biz/osa6.gif
   • www.**********.home.pl/osa6.gif
   • www.**********steel.at/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.az/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com.hk/osa6.gif
   • www.**********pharm.com/osa6.gif
   • www.**********.dehtdocs/osa6.gif
   • www.**********.stir.ac.uk/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********betcs.com/osa6.gif
   • www.**********.cz/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********heng.com/osa6.gif
   • www.**********.net/osa6.gif
   • www.**********.com.cn/osa6.gif
   • www.**********basketball.de/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********venture.com/osa6.gif
   • www.**********.tv/osa6.gif
   • www.**********asoutfitter.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.friko.pl/osa6.gif
   • www.**********.be/osa6.gif
   • www.**********.com.pt/osa6.gif
   • www.**********elourway.com/osa6.gif
   • www.**********.pl/osa6.gif
   • www.**********.cz/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********pecchi.it/osa6.gif
   • www.**********.sk/osa6.gif
   • www.**********erchair.com/osa6.gif
   • www.**********.hu/osa6.gif
   • www.**********senelektro.be/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.vn/osa6.gif
   • www.**********.ac.in/osa6.gif
   • www.**********fateh.com/osa6.gif
   • www.**********bank.pl/osa6.gif
   • www.**********.asn.au/osa6.gif
   • www.**********.co.za/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********productions.com/osa6.gif
   • www.**********country.com/osa6.gif
   • www.**********.pl/osa6.gif
   • www.**********industries.com/osa6.gif
   • www.**********.pl/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.net/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.cz/osa6.gif
   • www.**********spruyt.be/osa6.gif
   • www.**********download.com/osa6.gif
   • www.**********.co.za/osa6.gif
   • www.**********software.com/osa6.gif
   • www.**********.co.za/osa6.gif
   • www.**********.az/osa6.gif
   • www.**********.edu.sk/osa6.gif
It is saved on the local hard drive under: %WINDIR%\_re_file.exe Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "winshost.exe"="%SYSDIR%\winshost.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "winshost.exe"="%SYSDIR%\winshost.exe"

The values of the following registry keys are removed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • APVXDWIN
   • avg7_cc
   • avg7_emc
   • ccApp
   • KAV50
   • McAfee Guardian
   • NAV CfgWiz
   • SSC_UserPrompt
   • Symantec NetDriver Monitor
   • Zone Labs Client

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • McAfee.InstantUpdate.Monitor

The following registry keys including all values and subkeys are removed:
   • [HKLM\SOFTWARE\Agnitum]
   • [HKLM\SOFTWARE\KasperskyLab]
   • [HKLM\SOFTWARE\McAfee]
   • [HKLM\SOFTWARE\Panda Software]
   • [HKLM\SOFTWARE\Symantec]
   • [HKLM\SOFTWARE\Zone Labs]

The following registry key is added:

– [HKCU\Software\FirstRun]
   • "FirstRunRR"=dword:00000001

Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:

Attachment:
The filename of the attachment is one of the following:
   • 09_price.zip
   • new__price.zip
   • new_price.zip
   • newprice.zip
   • price2.zip
   • price_09.zip
   • price_new.zip

Hosts The host file is modified as explained:

– In this case existing entries are deleted.

The modified host file will look like this:

Process termination List of processes that are terminated:
   • ATUPDATER.EXE; AUPDATE.EXE; AUTODOWN.EXE; AUTOTRACE.EXE;
      AUTOUPDATE.EXE; AVPUPD.EXE; AVWUPD32.EXE; AVXQUAR.EXE; CFIAUDIT.EXE;
      DRWEBUPW.EXE; ESCANH95.EXE; ESCANHNT.EXE; FIREWALL.EXE; ICSSUPPNT.EXE;
      ICSUPP95.EXE; LUALL.EXE; MCUPDATE.EXE; NUPGRADE.EXE; OUTPOST.EXE;
      UPDATE.EXE; UPGRADER.EXE

List of services that are disabled:
   • Ahnlab task Scheduler; alerter; AlertManger; AVExch32Service;
      avg7alrt; avg7updsvc; AvgCore; AvgFsh; AvgServ; AVPCC; AVUPDService;
      AvxIni; awhost32; backweb client - 4476822; BackWeb Client - 7681197;
      BlackICE; CAISafe; ccEvtMgr; ccPwdSvc; ccSetMgr; ccSetMgr.exe;
      DefWatch; dvpapi; dvpinit; fsbwsys; FSDFWD; F-Secure Gatekeeper
      Handler Starter; FSMA; KAVMonitorService; kavsvc; KLBLMain; McAfee
      Firewall; McAfeeFramework; McShield; McTaskManager; mcupdmgr.exe;
      MCVSRte; MonSvcNT; navapsvc; navapsvc; Network Associates Log Service;
      NISSERV; NISUM; NOD32ControlCenter; NOD32Service; Norman NJeeves;
      Norman ZANDA; Norton Antivirus Server; NPFMntor; NProtectService;
      NSCTOP; nvcoas; NVCScheduler; nwclntc; nwclntd; nwclnte; nwclntf;
      nwclntg; nwclnth; NWService; Outbreak Manager; Outpost Firewall;
      OutpostFirewall; PASSRV; PAVFNSVR; Pavkre; PavProt; PavPrSrv; PAVSRV;
      PCCPFW; PersFW; PREVSRV; PSIMSVC; ravmon8; SAVFMSE; SAVScan;
      SBService; schscnt; sharedaccess; SharedAccess; SmcService; SNDSrvc;
      SPBBCSvc; SweepNet; SWEEPSRV.SYS; Symantec AntiVirus Client; Symantec
      Core LC; Tmntsrv; V3MonNT; V3MonSvc; VexiraAntivirus; VisNetic
      AntiVirus Plug-in; vsmon; wscsvc; wuauserv; XCOMM

Injection – It injects the following file into a process: %SYSDIR%\wiwshost.exe

Process name:
• explorer.exe

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Iulia Diaconescu on Tue, 20 Sep 2005 13:52 (GMT+1)
Description updated by Iulia Diaconescu on Thu, 22 Sep 2005 13:41 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back