TR/Bagle.DE - Trojan

See also

Summary

Full description

Statistics

Virus:	TR/Bagle.DE
Date discovered:	22/09/2005
Type:	Trojan
In the wild:	Yes
Reported Infections:	Medium
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	35.230 Bytes
MD5 checksum:	E0F359B58004488F7A2609C33A1B35C1
VDF version:	6.32.0.32

General Method of propagation:
   • No own spreading routine

Alias:
   • Symantec: Trojan.Tooso.Q
   • Kaspersky: Email-Worm.Win32.Bagle.dv
   • TrendMicro: TROJ_BAGLE.DA
   • Bitdefender: Win32.Bagle.DK@mm

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Downloads a malicious file
   • Drops a malicious file
   • Registry modification

Right after execution it runs a windows application which will display the following window:

Files It copies itself to the following location:
   • %SYSDIR%\winshost.exe

It renames the following files:

    • CCSETMGR.EXE into C1CSETMGR.EXE
    • CCEVTMGR.EXE into CC1EVTMGR.EXE
    • NAVAPSVC.EXE into NAV1APSVC.EXE
    • NPFMNTOR.EXE into NPFM1NTOR.EXE
    • symlcsvc.exe into s1ymlcsvc.exe
    • SPBBCSvc.exe into SP1BBCSvc.exe
    • SNDSrvc.exe into SND1Srvc.exe
    • ccApp.exe into ccA1pp.exe
    • ccl30.dll into cc1l30.dll
    • ccvrtrst.dll into ccv1rtrst.dll
    • LUALL.EXE into LUAL1L.EXE
    • AUPDATE.EXE into AUPD1ATE.EXE
    • Luupdate.exe into Luup1date.exe
    • LUINSDLL.DLL into LUI1NSDLL.DLL
    • RuLaunch.exe into RuLa1unch.exe
    • CMGrdian.exe into CM1Grdian.exe
    • Mcshield.exe into Mcsh1ield.exe
    • outpost.exe into outp1ost.exe
    • Avconsol.exe into Avc1onsol.exe
    • Vshwin32.exe into Vshw1in32.exe
    • VsStat.exe into Vs1Stat.exe
    • Avsynmgr.exe into Av1synmgr.exe
    • kavmm.exe into kav12mm.exe
    • Up2Date.exe into Up222Date.exe
    • KAV.exe into K2A2V.exe
    • avgcc.exe into avgc3c.exe
    • avgemc.exe into avg23emc.exe
    • zonealarm.exe into zo3nealarm.exe
    • zatutor.exe into zatu6tor.exe
    • zlavscan.dll into zl5avscan.dll
    • zlclient.exe into zlcli6ent.exe
    • isafe.exe into is5a6fe.exe
    • cafix.exe into c6a5fix.exe
    • vsvault.dll into vs6va5ult.dll
    • av.dll into a5v.dll
    • vetredir.dll into ve6tre5dir.dll

The following file is created:

– %SYSDIR%\wiwshost.exe Detected as: TR/Bagle.DE.1

It tries to download a file:

– The locations are the following:
   • http://www.21ebu**********.com/osa6.gif
   • http://www.**********.net/osa6.gif
   • http://www.acs**********.com/osa6.gif
   • http://www.ag**********.hu/osa6.gif
   • http://www.a**********.com/.vn/osa6.gif
   • http://www.ang**********.de/osa6.gif
   • http://www.ascolf**********.com/osa6.gif
   • http://www.automobil**********.de/osa6.gif
   • http://www.ban**********.cn/osa6.gif
   • http://www.beall**********.com/osa6.gif
   • http://www.b**********.at/osa6.gif
   • http://www.bs-sec**********.de/osa6.gif
   • http://www.centroveste**********.it/osa6.gif
   • http://www.checko**********.nl/osa6.gif
   • http://www.**********project.com/osa6.gif
   • http://www.**********wanjia.com/osa6.gif
   • http://www.czwa**********.com/osa6.gif
   • http://www.**********net.hu/osa6.gif
   • http://www.design**********.org/osa6.gif
   • http://www.dgy.com/**********/osa6.gif
   • http://www.**********-fliesen.de/osa6.gif
   • http://www.discoteka-**********.com/osa6.gif
   • http://www.**********-invest.com/osa6.gif
   • http://www.ea**********.com/osa6.gif
   • http://www.**********club.com/osa6.gif
   • http://www.eh**********.hu/osa6.gif
   • http://www.elvis**********.ch/osa6.gif
   • http://www.engelhard**********.de/osa6.gif
   • http://www.exter**********.hu/osa6.gif
   • http://www.fahrschule**********.de/osa6.gif
   • http://www.**********-lesser.de/osa6.gif
   • http://www.ferme**********.com/osa6.gif
   • http://www.festivalteatro**********.com/osa6.gif
   • http://www.form**********.at/osa6.gif
   • http://www.foto**********.fi/osa6.gif
   • http://www.**********trox.com/.tw/osa6.gif
   • http://www.gepe**********.org/osa6.gif
   • http://www.gimex-**********.de/osa6.gif
   • http://www.**********home.com/.tw/osa6.gif
   • http://www.**********mzn.cz/osa6.gif
   • http://www.**********service.be/osa6.gif
   • http://www.id**********.de/osa6.gif
   • http://www.**********cs.be/osa6.gif
   • http://www.**********er.cl/osa6.gif
   • http://www.inside-**********.de/osa6.gif
   • http://www.**********oli.sk/osa6.gif
   • http://www.**********-american.com/osa6.gif
   • http://www.jeo**********.com/osa6.gif
   • http://www.jing**********.com/osa6.gif
   • http://www.**********-bo.com/osa6.gif
   • http://www.king**********.ch/osa6.gif
   • http://www.marke**********.com/osa6.gif
   • http://www.mega**********.net/osa6.gif
   • http://www.**********ild.at/osa6.gif
   • http://www.ni**********.de/osa6.gif
   • http://www.**********gmbh.com/osa6.gif
   • http://www.**********va.com/.pe/osa6.gif
   • http://www.**********24.ee/osa6.gif
   • http://www.**********link.net/osa6.gif
   • http://www.**********-alliance.de/osa6.gif
   • http://www.pre**********.ch/osa6.gif
   • http://www.renega**********.com/osa6.gif
   • http://www.repl**********.com/osa6.gif
   • http://www.**********buecher.de/osa6.gif
   • http://www.sanjin**********.com/osa6.gif
   • http://www.scvanra**********.nl/osa6.gif
   • http://www.slova**********.sk/osa6.gif
   • http://www.**********photo.com/osa6.gif
   • http://www.socie**********.de/osa6.gif
   • http://www.**********co.org/osa6.gif
   • http://www.soft**********.ru/osa6.gif
   • http://www.so**********.org/osa6.gif
   • http://www.spac**********.biz/osa6.gif
   • http://www.speedcom.**********.pl/osa6.gif
   • http://www.**********-in-steel.at/osa6.gif
   • http://www.spo**********.de/osa6.gif
   • http://www.sport**********.com/osa6.gif
   • http://www.**********y.az/osa6.gif
   • http://www.**********solutions.com/osa6.gif
   • http://www.st-paulus-**********.de/osa6.gif
   • http://www.st**********.com/osa6.gif
   • http://www.steri**********.com/osa6.gif
   • http://www.students.**********.ac.uk/osa6.gif
   • http://www.**********planet.com/osa6.gif
   • http://www.sun**********.com/osa6.gif
   • http://www.super**********.com/osa6.gif
   • http://www.**********eb.cz/osa6.gif
   • http://www.syd**********.com/osa6.gif
   • http://www.**********iheng.com/osa6.gif
   • http://www.**********campus.net/osa6.gif
   • http://www.tec**********.de/osa6.gif
   • http://www.**********-mutan.com/osa6.gif
   • http://www.thai**********.com/osa6.gif
   • http://www.**********venture.com/osa6.gif
   • http://www.**********funkiest.com/osa6.gif
   • http://www.**********step.tv/osa6.gif
   • http://www.thetexas**********.com/osa6.gif
   • http://www.tmhcsd1987.**********.pl/osa6.gif
   • http://www.tous**********.be/osa6.gif
   • http://www.tr**********.com/osa6.gif
   • http://www.travel**********.com/osa6.gif
   • http://www.**********.dobrcz.pl/osa6.gif
   • http://www.tri**********.cz/osa6.gif
   • http://www.**********tonic.ch/osa6.gif
   • http://www.tv-**********.com/osa6.gif
   • http://www.**********-cassinadepecchi.it/osa6.gif
   • http://www.uni**********.sk/osa6.gif
   • http://www.**********chair.com/osa6.gif
   • http://www.u**********.hu/osa6.gif
   • http://www.**********senelektro.be/osa6.gif
   • http://www.vet**********.com/osa6.gif
   • http://www.**********meloni.com/osa6.gif
   • http://www.**********nn.vn/osa6.gif
   • http://www.**********vjiet.ac.in/osa6.gif
   • http://www.vote2**********.com/osa6.gif
   • http://www.vw.**********-bank.pl/osa6.gif
   • http://www.wamba.**********.au/osa6.gif
   • http://www.wdlp.**********.za/osa6.gif
   • http://www.**********corp.com/osa6.gif
   • http://www.**********productions.com/osa6.gif
   • http://www.wilson**********.com/osa6.gif
   • http://www.wind**********.pl/osa6.gif
   • http://www.**********-industries.com/osa6.gif
   • http://www.**********old.pl/osa6.gif
   • http://www.womb**********.com/osa6.gif
   • http://www.**********reme.cz/osa6.gif
   • http://www.xian**********.net/osa6.gif
   • http://www.**********pie.com/osa6.gif
   • http://www.xm**********.com/osa6.gif
   • http://www.xo**********.com/osa6.gif
   • http://www.yannick-**********.be/osa6.gif
   • http://www.**********download.com/osa6.gif
   • http://www.yester**********.za
   • http://www.**********kj.com/osa6.gif
   • http://www.zakazcd.**********.ua/osa6.gif
   • http://www.**********ftware.com/osa6.gif
   • http://www.**********tek.co.za/osa6.gif
   • http://www.zor**********.az/osa6.gif
   • http://www.**********sala.edu.sk/osa6.gif
It is saved on the local hard drive under: %WINDIR%\_re_file.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Bagle.DE.3.A

Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "winshost.exe"="%SYSDIR%\winshost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "winshost.exe"="%SYSDIR%\winshost.exe"

The values of the following registry keys are removed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Symantec NetDriver Monitor
   • ccApp
   • NAV CfgWiz
   • SSC_UserPrompt
   • McAfee Guardian
   • APVXDWIN
   • KAV50
   • avg7_cc
   • avg7_emc
   • Zone Labs Client

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • McAfee.InstantUpdate.Monitor

The following registry keys including all values and subkeys are removed:
   • [HKLM\SOFTWARE\Symantec]
   • [HKLM\SOFTWARE\McAfee]
   • [HKLM\SOFTWARE\KasperskyLab]
   • [HKLM\SOFTWARE\Agnitum]
   • [HKLM\SOFTWARE\Panda Software]
   • [HKLM\SOFTWARE\Zone Labs]

The following registry key is added:

– [HKCU\Software\FirstRun]
   • "FirstRunRR"=dword:00000001

The following registry keys are changed:

– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
   Old value:
   • Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\Alerter]
   Old value:
   • Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

Hosts The host file is modified as explained:

– In this case existing entries are deleted.

The modified host file will look like this:

Process termination List of processes that are terminated:
   • NUPGRADE.EXE; MCUPDATE.EXE; ATUPDATER.EXE; AUPDATE.EXE; AUTOTRACE.EXE;
      AUTOUPDATE.EXE; FIREWALL.EXE; ATUPDATER.EXE; LUALL.EXE; DRWEBUPW.EXE;
      AUTODOWN.EXE; NUPGRADE.EXE; OUTPOST.EXE; ICSSUPPNT.EXE; ICSUPP95.EXE;
      ESCANH95.EXE; AVXQUAR.EXE; ESCANHNT.EXE; UPGRADER.EXE; AVXQUAR.EXE;
      AVWUPD32.EXE; AVPUPD.EXE; CFIAUDIT.EXE; UPDATE.EXE

List of services that are disabled:
   • wuauserv (Automatic updates); SharedAccess (Windows Firewall/Internet
      Connection Sharing); alerter; PAVSRV; PAVFNSVR; PSIMSVC; Pavkre;
      PavProt; PREVSRV; PavPrSrv; SharedAccess; navapsvc; NPFMntor; Outpost
      Firewall; SAVScan; SBService; Symantec Core LC; ccEvtMgr; SNDSrvc;
      ccPwdSvc; ccSetMgr.exe; SPBBCSvc; KLBLMain; avg7alrt; avg7updsvc;
      vsmon; CAISafe; avpcc; fsbwsys; backweb client - 4476822; backweb
      client-4476822; fsdfwd; F-Secure Gatekeeper Handler Starter; FSMA;
      KAVMonitorService; navapsvc; NProtectService; Norton Antivirus Server;
      VexiraAntivirus; dvpinit; dvpapi; schscnt; BackWeb Client - 7681197;
      F-Secure Gatekeeper Handler Starter; FSMA; AVPCC; KAVMonitorService;
      Norman NJeeves; NVCScheduler; nvcoas; Norman ZANDA; PASSRV; SweepNet;
      SWEEPSRV.SYS; NOD32ControlCenter; NOD32Service; PCCPFW; Tmntsrv;
      AvxIni; XCOMM; ravmon8; SmcService; BlackICE; PersFW; McAfee Firewall;
      OutpostFirewall; NWService; sharedaccess; NISUM; NISSERV; vsmon;
      nwclnth; nwclntg; nwclnte; nwclntf; nwclntd; nwclntc; navapsvc;
      Symantec Core LC; SAVScan; kavsvc; DefWatch; Symantec AntiVirus
      Client; NSCTOP; Symantec Core LC; SAVScan; SAVFMSE; ccEvtMgr;
      navapsvc; ccSetMgr; VisNetic AntiVirus Plug-in; McShield; AlertManger;
      McAfeeFramework; AVExch32Service; AVUPDService; McTaskManager; Network
      Associates Log Service; Outbreak Manager; MCVSRte; mcupdmgr.exe;
      AvgServ; AvgCore; AvgFsh; awhost32; Ahnlab task Scheduler; MonSvcNT;
      V3MonNT; V3MonSvc; FSDFWD

Injection – It injects the following file into a process: %SYSDIR%\wiwshost.exe

Process name:
• explorer.exe

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Andrei Gherman on Thu, 22 Sep 2005 13:09 (GMT+1)
Description updated by Andrei Gherman on Fri, 23 Sep 2005 10:10 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back