Descripción completa

Alias:	-
Type:	Trojan
Size:	34,304 bytes (PE 1.0 packed)
Origin:
Date:	03-01-2005
Damage:
VDF Version:	6.29.00.157
Danger:	Low
Distribution:	Low

General DescriptionAffected platforms:
Windows 98
Windows ME
Windows NT
Windows 2000
Windows XP
Windows 2003 Server

SymptomsOnce executed, the virus tries to stop some processes that belongs to a number of antivrus programs. It stops any process that has the excutable file:

ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
UPGRADER.EXE

It also stop programs that have in their title bar one of the following substrings:

Ahnlab task Scheduler
alerter
AlertManger
AVExch32Service
avg7alrt
avg7updsvc
AvgCore
AvgFsh
AvgServ
avpcc
AVPCC
AVUPDService
AvxIni
awhost32
backweb client - 4476822
BackWeb Client - 7681197
backweb client-4476822
BlackICE
CAISafe
ccEvtMgr
ccPwdSvc
ccSetMgr
DefWatch
dvpapi
dvpinit
fsbwsys
fsdfwd
FSDFWD
F-Secure Gatekeeper Handler Starter
FSMA
KAVMonitorService
kavsvc
KLBLMain
McAfee Firewall
McAfeeFramework
McShield
McTaskManager
mcupdmgr.exe
MCVSRte
MonSvcNT
navapsvc
Network Associates Log Service
NISSERV
NISUM
NOD32ControlCenter
NOD32Service
Norman NJeeves
Norman ZANDA
Norton Antivirus Server
NPFMntor
NProtectService
NSCTOP
nvcoas
NVCScheduler
nwclntc
nwclntd
nwclnte
nwclntf
nwclntg
nwclnth
NWService
Outbreak Manager
Outpost Firewall
OutpostFirewall
PASSRV
PAVFNSVR
Pavkre
PavProt
PavPrSrv
PAVSRV
PCCPFW
PersFW
PREVSRV
PSIMSVC
ravmon8
SAVFMSE
SAVScan
SBService
schscnt
SharedAccess
sharedaccess
SmcService
SNDSrvc
SPBBCSvc
SweepNet
SWEEPSRV.SYS
Symantec AntiVirus Client
Symantec Core LC
Tmntsrv
V3MonNT
V3MonSvc
VexiraAntivirus
VisNetic AntiVirus Plug-in
vsmon
wuauserv
XCOMM

Technical DetailsThis trojan is received as an attachement from the emails sended by the WORM/Bagle.BB or WORM/Bagle.BC.
If it is executed, the virus make a copy of itself in <%sysdir%>\winhost.exe and it drops <%sysdir%>\wiwhost.exe (which is memory resident).
The <%sysdir%>\drivers\etc\hosts file gets modified, so the user won't be able to connect to some antivirus vendors' web/ftp site anymore.

It also tries to prevent some antivirus programs to start next time the system restarts by deleting the following registries entries:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian]
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client]
[HKLM\SOFTWARE\Symantec]
[HKLM\SOFTWARE\McAfee]
[HKLM\SOFTWARE\KasperskyLab]
[HKLM\SOFTWARE\Agnitum]
[HKLM\SOFTWARE\Panda Software]
[HKLM\SOFTWARE\Zone Lab

Moreover, it tries to download another malware by making the following HTTP requests:

http://www.amanit.ru/blocked.jpg
http://www.anthonyflanagan.com/blocked.jpg
http://www.approved1stmortgage.com/blocked.jpg
http://www.argument.h12.ru/blocked.jpg
http://www.arkebek.de/blocked.jpg
http://www.artek.org/blocked.jpg
http://www.asianfestival.nl/blocked.jpg
http://www.astergut.at/blocked.jpg
http://www.aviation-center.de/blocked.jpg
http://www.bbsh.org/blocked.jpg
http://www.besino.com/blocked.jpg
http://www.bestbuy.de/blocked.jpg
http://www.beta.mtw.ru/blocked.jpg
http://www.bga-gsm.ru/blocked.jpg
http://www.blessino.com/blocked.jpg
http://www.blueeyeinc.com/blocked.jpg
http://www.breaklight.be/blocked.jpg
http://www.brzesko.net.pl/blocked.jpg
http://www.catsystem.com.kg/blocked.jpg
http://www.cdnpartner.com.pl/blocked.jpg
http://www.ceskyhosting.cz/blocked.jpg
http://www.channeland.com/blocked.jpg
http://www.compsolutionstore.com/blocked.jpg
http://www.concept.kg/blocked.jpg
http://www.corpsite.com/blocked.jpg
http://www.couponcapital.net/blocked.jpg
http://www.DarrkSydebaby.com/blocked.jpg
http://www.dehut-westerhoven.nl/blocked.jpg
http://www.dhl.kg/blocked.jpg
http://www.dierollendedisco.de/blocked.jpg
http://www.discobaradventure.be/blocked.jpg
http://www.ecobank.kg/blocked.jpg
http://www.elenalazar.com/blocked.jpg
http://www.e-nfo.com/blocked.jpg
http://www.epicbiz.com/blocked.jpg
http://www.e-power.com.cn/blocked.jpg
http://www.europa.kg/blocked.jpg
http://www.everett.wednet.edu/blocked.jpg
http://www.externet.hu/blocked.jpg
http://www.forester.kg/blocked.jpg
http://www.fotocliparts.de/blocked.jpg
http://www.fotonw.org/blocked.jpg
http://www.freesites.com.br/blocked.jpg
http://www.funbunker.de/blocked.jpg
http://www.funworld.tv/blocked.jpg
http://www.gameser.com@share.gameser.com/blocked.jpg
http://www.gci-bln.de/blocked.jpg
http://www.gcnet.ru/blocked.jpg
http://www.giantrevenue.com/blocked.jpg
http://www.himpsi.org/blocked.jpg
http://www.i3dvr.com/blocked.jpg
http://www.ibigmart.net/blocked.jpg
http://www.idb-group.net/blocked.jpg
http://www.illusionoflife.net/blocked.jpg
http://www.infocuspromo.com/blocked.jpg
http://www.irinaswelt.de/blocked.jpg
http://www.jansenboiler.com/blocked.jpg
http://www.jasnet.pl/blocked.jpg
http://www.jcribeiro.com/blocked.jpg
http://www.jewelleryamberproducts.com/blocked.jpg
http://www.jimvann.com/blocked.jpg
http://www.jldr.ca/blocked.jpg
http://www.jordanramey.net/blocked.jpg
http://www.joy-musik-sound.de/blocked.jpg
http://www.justrepublicans.com/blocked.jpg
http://www.katel.kg/blocked.jpg
http://www.knicks.nl/blocked.jpg
http://www.koebers.pl/blocked.jpg
http://www.kogaionon.com/blocked.jpg
http://www.kplus.kg/blocked.jpg
http://www.kradtraining.de/blocked.jpg
http://www.kranenberg.de/blocked.jpg
http://www.kranenberg.de:113547@/blocked.jpg
http://www.kstrus.com.pl/blocked.jpg
http://www.ktsonline.de/blocked.jpg
http://www.lahelaino.com/blocked.jpg
http://www.lawform.com.au/blocked.jpg
http://www.leetexgroup.com/blocked.jpg
http://www.leshrak.de/blocked.jpg
http://www.leshrak.de:prophets@/blocked.jpg
http://www.logoseiten.de/blocked.jpg
http://www.magicbottle.com.tw/blocked.jpg
http://www.mcuserver.cz/blocked.jpg
http://www.mega.kg/blocked.jpg
http://www.mega-spass.com/blocked.jpg
http://www.mepbisu.de/blocked.jpg
http://www.mepmh.de/blocked.jpg
http://www.mtfdesign.com/blocked.jpg
http://www.mtransit.kg/blocked.jpg
http://www.neotech.kg/blocked.jpg
http://www.nikonfotoshare.com/blocked.jpg
http://www.novosti.kg/blocked.jpg
http://www.ok.kg/blocked.jpg
http://www.onepositiveplace.org/blocked.jpg
http://www.online.kg/blocked.jpg
http://www.orangesuburban.5u.com/blocked.jpg
http://www.otv.ch/blocked.jpg
http://www.pageantpage.com/blocked.jpg
http://www.pankration.com/blocked.jpg
http://www.para-agility.com/blocked.jpg
http://www.pdxracing.net/blocked.jpg
http://www.pfadfinder-leobersdorf.com/blocked.jpg
http://www.pipni.cz/blocked.jpg
http://www.pjwstk.edu.pl/blocked.jpg
http://www.polizeimotorrad.de/blocked.jpg
http://www.proway-consulting.com/blocked.jpg
http://www.pugetsoundyc.org/blocked.jpg
http://www.pyrlandia-boogie.pl/blocked.jpg
http://www.qphoto.co.za/blocked.jpg
http://www.raecoinc.com/blocked.jpg
http://www.realgps.com/blocked.jpg
http://www.realty.kg/blocked.jpg
http://www.redlightpictures.com/blocked.jpg
http://www.reliance-yachts.com/blocked.jpg
http://www.relocationflorida.com/blocked.jpg
http://www.rentalstation.com/blocked.jpg
http://www.rieraquadros.com.br/blocked.jpg
http://www.roaming.kg/blocked.jpg
http://www.sacohalle.be/blocked.jpg
http://www.scanex-medical.fi/blocked.jpg
http://www.scoping4success.com/blocked.jpg
http://www.sert.ru/blocked.jpg
http://www.sigi.lu/blocked.jpg
http://www.spadochron.pl/blocked.jpg
http://www.ssc.kg/blocked.jpg
http://www.ssmifc.ca/blocked.jpg
http://www.stadtmeyers.de/blocked.jpg
http://www.stadtmeyers.de:R2D2c3po@/blocked.jpg
http://www.sterlingirb.com/blocked.jpg
http://www.sunassetholdings.com/blocked.jpg
http://www.szantomierz.art.pl/blocked.jpg
http://www.szosa.pl/blocked.jpg
http://www.tambourenvereine.ch/blocked.jpg
http://www.tarnow.opoka.org.pl/blocked.jpg
http://www.tc-muraene.com/blocked.jpg
http://www.tc-muraene.com:hunter@/blocked.jpg
http://www.theroyalregistry.com/blocked.jpg
http://www.transportation.gov.bh/blocked.jpg
http://www.tumar.kg/blocked.jpg
http://www.tunguska.hu/blocked.jpg
http://www.turkeyhomes.com/blocked.jpg
http://www.turkeyhomes.com@/blocked.jpg
http://www.ulpiano.org/blocked.jpg
http://www.unicity.pl/blocked.jpg
http://www.vbw.info/blocked.jpg
http://www.velezcourtesymanagement.com/blocked.jpg
http://www.vorrix.com/blocked.jpg
http://www.webpark.pl/blocked.jpg
http://www.wecompete.com/blocked.jpg
http://www.wp.pl/blocked.jpg
http://www.wwwebad.com/blocked.jpg
http://www.xpager321.wz.cz/blocked.jpg
http://www.yamdiamonds.com/blocked.jpg
http://www.zander-yachting.com/blocked.jpg

and save the downloaded file to <%windir%>\__re_file.exe.

Descripción insertada por Crony Walker el martes 15 de junio de 2004

Volver . . . .