TR/Bagle.DG - Trojan

See also

Summary

Full description

Statistics

Virus:	TR/Bagle.DG
Date discovered:	22/09/2005
Type:	Trojan
In the wild:	Yes
Reported Infections:	Medium
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	35.761 Bytes
MD5 checksum:	2e5e131e4d5a6500b94f68d1c11ffcc5
VDF version:	6.32.0.33

General Method of propagation:
   • No own spreading routine

Aliases:
   • Symantec: Trojan.Tooso.Q
   • TrendMicro: TROJ_BAGLE.DA
   • F-Secure: W32/Mitglieder.FL
   • Bitdefender: Win32.Bagle.DG@mm

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Downloads a malicious file
   • Drops a malicious file
   • Lowers security settings
   • Registry modification

Right after execution the following information is displayed:

Files It copies itself to the following location:
   • %SYSDIR%\winshost.exe

The following file is created:

– %SYSDIR%\winshost.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Bagle.DG.1

It tries to download a file:

– The locations are the following:
   • http://www.**********.com/osa6.gif
   • http://www.**********.net/osa6.gif
   • http://www.**********.pl/osa6.gif
   • http://www.**********.at/osa6.gif
   • http://www.**********.ch/osa6.gif
   • http://www.**********.com.tw/osa6.gif
   • http://www.**********.cl/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.ee/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.cz/osa6.gif
   • http://www.**********.cz/osa6.gif
   • http://www.**********.net/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.net/osa6.gif
   • http://www.**********.be/osa6.gif
   • http://www.**********.be/osa6.gif
   • http://www.**********.org/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.at/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.it/osa6.gif
   • http://www.**********.sk/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com.tw/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.be/osa6.gif
   • http://www.**********.it/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.ac.in/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.at/osa6.gif
   • http://www.**********.nl/osa6.gif
   • http://www.**********.fi/osa6.gif
   • http://www.**********.pl/osa6.gif
   • http://www.**********.asn.au/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.co.za/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.cn/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com.cn/osa6.gif
   • http://www.**********.com.cn/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.org/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.org/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com.pt/osa6.gif
   • http://www.**********.at/osa6.gif
   • http://www.**********.com.hk/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com.pe/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.vn/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.hu/osa6.gif
   • http://www.**********.hu/osa6.gif
   • http://www.**********.be/osa6.gif
   • http://www.**********.hu/osa6.gif
   • http://www.**********.net/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com.cn/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.friko.pl/osa6.gif
   • http://www.**********.tv/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.pl/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.pl/osa6.gif
   • http://www.**********.net/osa6.gif
   • http://www.**********.sk/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.hu/osa6.gif
   • http://www.**********.com.cn/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.com.pl/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.cz/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.nl/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.cz/osa6.gif
   • http://www.**********.de/osa6.gif
   • http://www.**********.com/osa6.gif
   • http://www.**********.ch/osa6.gif
It is saved on the local hard drive under: %WINDIR%\_re_file.exe Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "winshost.exe" = "%SYSDIR%\winshost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "winshost.exe" = "%SYSDIR%\winshost.exe"

The values of the following registry keys are removed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • ccApp
   • NAV CfgWiz
   • SSC_UserPrompt
   • McAfee Guardian
   • APVXDWIN
   • KAV50
   • avg7_cc
   • avg7_emc
   • Zone Labs Client
   • Symantec NetDriver Monitor

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • McAfee.InstantUpdate.Monitor

The following registry key is added:

– [HKCU\Software\FirstRun]
   • "FirstRunRR"=dword:00000001

Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:

Attachment:
The filename of the attachment is one of the following:
   • new__price.zip
   • new_price.zip
   • newprice.zip
   • price2.zip
   • 09_price.zip
   • price_09.zip

Hosts The host file is modified as explained:

– In this case existing entries are deleted.

The modified host file will look like this:

Process termination List of processes that are terminated:
   • NUPGRADE.EXE; MCUPDATE.EXE; ATUPDATER.EXE; AUPDATE.EXE; AUTOTRACE.EXE;
      AUTOUPDATE.EXE; FIREWALL.EXE; ATUPDATER.EXE; LUALL.EXE; DRWEBUPW.EXE;
      AUTODOWN.EXE; NUPGRADE.EXE; OUTPOST.EXE; ICSSUPPNT.EXE; ICSUPP95.EXE;
      ESCANH95.EXE; AVXQUAR.EXE; ESCANHNT.EXE; UPGRADER.EXE; AVXQUAR.EXE;
      AVWUPD32.EXE; AVPUPD.EXE; CFIAUDIT.EXE; UPDATE.EXE

List of services that are disabled:
   • wuauserv (Windows Automatic Updates); SharedAccess (Windows
      Firewall/Internet Connection Sharing); Alerter; PAVSRV; PAVFNSVR;
      PSIMSVC; Pavkre; PavProt; PREVSRV; PavPrSrv; SharedAccess; NPFMntor;
      Outpost; Firewall; SAVScan; SBService; Symantec Core LC; ccEvtMgr;
      SNDSrvc; ccPwdSvc; ccSetMgr.exe; SPBBCSvc; KLBLMain; avg7alrt;
      avg7updsvc; vsmon; CAISafe; avpcc; fsbwsys; backweb client - 4476822;
      fsdfwd; F-Secure Gatekeeper Handler Starter; FSMA; KAVMonitorService;
      navapsvc; NProtectService; Norton Antivirus Server; VexiraAntivirus;
      dvpinit; dvpapi; schscnt; BackWeb Client - 7681197; F-Secure;
      Gatekeeper Handler Starter; FSMA; AVPCC; KAVMonitorService; Norman;
      NJeeves; NVCScheduler; nvcoas; Norman ZANDA; PASSRV; SweepNet;
      SWEEPSRV.SYS; NOD32ControlCenter; NOD32Service; PCCPFW; Tmntsrv;
      AvxIni; XCOMM; ravmon8; SmcService; BlackICE; PersFW; McAfee Firewall;
      OutpostFirewall; NWService; NISUM; NISSERV; vsmon; wclnth; nwclntg;
      nwclnte; nwclntf; nwclntd; nwclntc; navapsvc; SAVScan; kavsvc;
      DefWatch; Symantec AntiVirus Client; NSCTOP; Symantec Core LC;
      SAVScan; SAVFMSE; ccEvtMgr; navapsvc; ccSetMgr; VisNetic AntiVirus;
      Plug-in; McShield; AlertManger; McAfeeFramework; AVExch32Service;
      AVUPDService; McTaskManager; Network Associates Log Service; Outbreak;
      Manager; MCVSRte; mcupdmgr.exe; AvgServ; AvgCore; AvgFsh; awhost32;
      Ahnlab task Scheduler; MonSvcNT; V3MonNT; V3MonSvc; FSDFWD

Injection – It injects the following file into a process: %SYSDIR%\wiwshost.exe

Process name:
• %WINDIR%\explorer.exe

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Catalin Jora on Thu, 22 Sep 2005 11:04 (GMT+1)
Description updated by Catalin Jora on Mon, 26 Sep 2005 12:11 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back