TR/Bagle.CY - Trojan

See also

Summary

Full description

Statistics

Virus:	TR/Bagle.CY
Date discovered:	20/09/2005
Type:	Worm
In the wild:	Yes
Reported Infections:	Medium
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	38.408 Bytes
MD5 checksum:	aad4a3c6e090e2687320f19e4f3f8034
VDF version:	6.32.0.28

General Method of propagation:
   • No own spreading routine

Aliases:
   • Symantec: Trojan.Tooso.Q
   • Kaspersky: Email-Worm.Win32.Bagle.dk
   • Bitdefender: Win32.Bagle.DI@mm

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP

Side effects:
   • Downloads a malicious file
   • Drops a malicious file
   • Lowers security settings
   • Registry modification

Right after execution it runs a windows application which will display the following window:

Files It copies itself to the following location:
   • %SYSDIR%\winshost.exe

It renames the following files:

    • AUPDATE.EXE into AUPD1ATE.EXE
    • av.dll into a5v.dll
    • Avconsol.exe into Avc1onsol.exe
    • avgcc.exe into avgc3c.exe
    • avgemc.exe into avg23emc.exe
    • Avsynmgr.exe into Av1synmgr.exe
    • cafix.exe into c6a5fix.exe
    • CMGrdian.exe into CM1Grdian.exe
    • isafe.exe into is5a6fe.exe
    • KAV.exe into K2A2V.exe
    • kavmm.exe into kav12mm.exe
    • LUALL.EXE into LUAL1L.EXE
    • LUINSDLL.DLL into LUI1NSDLL.DLL
    • Luupdate.exe into Luup1date.exe
    • Mcshield.exe into Mcsh1ield.exe
    • outpost.exe into outp1ost.exe
    • RuLaunch.exe into RuLa1unch.exe
    • Up2Date.exe into Up222Date.exe
    • vetredir.dll into ve6tre5dir.dll
    • Vshwin32.exe into Vshw1in32.exe
    • VsStat.exe into Vs1Stat.exe
    • vsvault.dll into vs6va5ult.dll
    • zatutor.exe into zatu6tor.exe
    • zlavscan.dll into zl5avscan.dll
    • zlclient.exe into zlcli6ent.exe
    • zonealarm.exe into zo3nealarm.exe

– %SYSDIR%\wiwshost.exe Detected as: TR/Bagle.CY.1

It tries to download some files:

– The locations are the following:
   • www.**********.be/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.co.za/osa6.gif
   • www.**********.ac.uk/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.co.za/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.az/osa6.gif
   • www.**********.edu.sk/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.net/osa6.gif
   • www.**********.dobrcz.pl/osa6.gif
   • www.**********.at/osa6.gif
   • www.**********.ch/osa6.gif
   • www.**********.com.tw/osa6.gif
   • www.**********.cl/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.ee/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.cz/osa6.gif
   • www.**********.cz/osa6.gif
   • www.**********.net/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.net/osa6.gif
   • www.**********.be/osa6.gif
   • www.**********.be/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.at/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com.tw/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.be/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.ac.in/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.at/osa6.gif
   • www.**********.nl/osa6.gif
   • www.**********fi/osa6.gif
   • www.**********.press-bank.pl/osa6.gif
   • www.**********.asn.au/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.co.za/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.cn/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com.cn/osa6.gif
   • www.**********.com.cn/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.org/osa6.gif
   • www.**********ru/osa6.gif
   • www.**********.org/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.biz/osa6.gif
   • www.**********.home.pl/osa6.gif
   • www.**********.com.pt/osa6.gif
   • www.**********.at/osa6.gif
   • www.**********.az/osa6.gif
   • www.**********.dehtdocs/osa6.gif
   • www.**********.com.hk/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com.pe/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.hu/osa6.gif
   • www.**********.hu/osa6.gif
   • www.**********.be/osa6.gif
   • www.**********.hu/osa6.gif
   • www.**********.net/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com.cn/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.pl/osa6.gif
   • www.**********.tv/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.pl/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.pl/osa6.gif
   • www.**********.net/osa6.gif
   • www.**********.hu/osa6.gif
   • www.**********.hu/osa6.gif
   • www.**********.com.cn/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.com.pl/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.cz/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.nl/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.cz/osa6.gif
   • www.**********.de/osa6.gif
   • www.**********.com/osa6.gif
   • www.**********.ch/osa6.gif
It is saved on the local hard drive under: %WINDIR%\_re_file.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Bagle.DE.3.A

Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "winshost.exe" = "%SYSDIR%\winshost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "winshost.exe" = "%SYSDIR%\winshost.exe"

The values of the following registry keys are removed:

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "McAfee.InstantUpdate.Monitor"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Zone Labs Client"
   • "avg7_emc"
   • "avg7_cc"
   • "KAV50"
   • "APVXDWIN"
   • "McAfee Guardian"
   • "SSC_UserPrompt"
   • "NAV CfgWiz"
   • "ccApp"
   • "Symantec NetDriver Monitor"

The following registry keys including all values and subkeys are removed:
   • [HKLM\SOFTWARE\Zone Labs]
   • [HKLM\SOFTWARE\Panda Software]
   • [HKLM\SOFTWARE\Agnitum]
   • [HKLM\SOFTWARE\KasperskyLab]
   • [HKLM\SOFTWARE\McAfee]
   • [HKLM\SOFTWARE\Symantec]

The following registry key is added:

– [HKCU\Software\FirstRun]
   • "FirstRunRR" = dword:00000001

Hosts The host file is modified as explained:

– In this case existing entries are deleted.

The modified host file will look like this:

Process termination List of processes that are terminated:
   • ATUPDATER.EXE; AUPDATE.EXE; AUTODOWN.EXE; AUTOTRACE.EXE;
      AUTOUPDATE.EXE; AVPUPD.EXE; AVWUPD32.EXE; AVXQUAR.EXE; CFIAUDIT.EXE;
      DRWEBUPW.EXE; ESCANH95.EXE; ESCANHNT.EXE; FIREWALL.EXE; ICSSUPPNT.EXE;
      ICSUPP95.EXE; LUALL.EXE; MCUPDATE.EXE; NUPGRADE.EXE; OUTPOST.EXE;
      UPDATE.EXE; UPGRADER.EXE

List of services that are disabled:
   • Ahnlab task Scheduler; alerter; AlertManger; AVExch32Service;
      avg7alrt; avg7updsvc; AvgCore; AvgFsh; AvgServ; avpcc; AVUPDService;
      AvxIni; awhost32; backweb client - 4476822; BackWeb Client - 7681197;
      backweb client-4476822; BlackICE; CAISafe; ccEvtMgr; ccPwdSvc;
      ccSetMgr; ccSetMgr.exe; DefWatch; dvpapi; dvpinit; fsbwsys; fsdfwd;
      F-Secure Gatekeeper Handler Starter; KAVMonitorService; kavsvc;
      KLBLMain; McAfee Firewall; McAfeeFramework; McShield; McTaskManager;
      mcupdmgr.exe; MCVSRte; MonSvcNT; navapsvc; Network Associates Log
      Service; NISSERV; NISUM; NOD32ControlCenter; NOD32Service; Norman
      NJeeves; Norman ZANDA; Norton Antivirus Server; NPFMntor;
      NProtectService; NSCTOP; nvcoas; NVCScheduler; nwclntc; nwclntd;
      nwclnte; nwclntf; nwclntg; nwclnth; NWService; Outbreak Manager;
      Outpost Firewall; OutpostFirewall; PASSRV; PAVFNSVR; Pavkre; PavProt;
      PavPrSrv; PAVSRV; PCCPFW; PersFW; PREVSRV; PSIMSVC; ravmon8; SAVFMSE;
      SAVScan; SBService; schscnt; SharedAccess; SmcService; SNDSrvc;
      SPBBCSvc; SweepNet; SWEEPSRV.SYS; Symantec AntiVirus Client; Symantec
      Core LC; Tmntsrv; V3MonNT; V3MonSvc; VexiraAntivirus; VisNetic
      AntiVirus Plug-in; vsmon; wuauserv; XCOMM

Injection – It injects the following file into a process: %SYSDIR%\wiwshost.exe

Process name:
• explorer.exe

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Razvan Olteanu on Wed, 21 Sep 2005 13:09 (GMT+1)
Description updated by Razvan Olteanu on Fri, 23 Sep 2005 11:32 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back