¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Alias:Email-Worm.Win32.Bagle.*, W32/Bagle.dll.dr, Trojan.Tooso.F, TROJ_BAGLE.B*, Troj/BagleDl, Win32.Bagle.B*@mm
Type:Worm 
Size:~37 Kbytes 
Origin: 
Date:04-21-2005 
Damage: 
VDF Version:6.30.0.123 
Danger:Low 
Distribution:Medium 

General DescriptionDamage routine
- terminates antivirus- and security software
- downloads other trojan components
- deletes values from the Windows Registry

Affected Platforms:
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

Technical DetailsAttention:
This virus description for TR/Dldr.Bagle version is created on the basis of the multiple Bagle versions generally accepted (valid), which might barely differ from one version to another from the infection and damage routine points of view,

If TR/Dldr.Bagle is executed, it opens the editor and displays the following text:
http://www.antivir.de/uploads/RTEmagicC_trbagleb.gif.gif

and creates the following files in the Windows system directory:
- <%Sysdir%>\WIWSHOST.EXE (filesize: 18.944 Bytes)


- <%Sysdir%>\WINSHOST.EXE (filesize: ~ 9.728 Bytes)

The trojan adds two entries in the Windows Regsitry:

[HKEY_Current_User\Software\Microsoft\ Windows\CurrentVersion\Run]
"winshost.exe" = "<%Sysdir%>\winshost.exe"

[HKEY_Local_Machine\Software\Microsoft \Windows\CurrentVersion\Run]
"winshost.exe" = "<%Sysdir%>\winshost.exe"

The file WIWSHOST.EXE is actually a downloader. It is also able to affect the capability of running from antivirus- and security software.
It modifies the Windows "HOSTS" file so that different software producers' web sites are blocked and they cannot be reached anymore:

ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
ftp://ftp.kasperskylab.ru/updates/
ftp://ftp.avp.ch/updates/
http://www.kaspersky.ru/updates/
http://updates1.kaspersky-labs.com/updates/
http://updates3.kaspersky-labs.com/updates/
http://updates4.kaspersky-labs.com/updates/
http://updates2.kaspersky-labs.com/updates/
http://updates5.kaspersky-labs.com/updates/
http://downloads1.kaspersky-labs.com/updates/
http://www.kaspersky-labs.com/updates/
ftp://updates3.kaspersky-labs.com/updates/
ftp://downloads1.kaspersky-labs.com/updates/
www3.ca.com
ids.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
update.symantec.com
download.mcafee.com
www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
kaspersky-labs.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
www.trendmicro.com
www.grisoft.com

The trojan is also able to terminate a range of antivirus- and security software processes. For this, it terminates all active processes which contain one of the following strings within the process name:

wuauserv
PAVSRV
PAVFNSVR
PSIMSVC
Pavkre
PavProt
PREVSRV
PavPrSrv
ccSetMgr.exe
SPBBCSvc
KLBLMain
avg7alrt
avg7updsvc
vsmon
CAISafe
avpcc
fsbwsys
backweb client - 4476822
backweb client-4476822
fsdfwd
F-Secure Gatekeeper Handler Starter
FSMA
KAVMonitorService
navapsvc
NProtectService
Norton Antivirus Server
VexiraAntivirus
dvpinit
dvpapi
schscnt
BackWeb Client - 7681197
F-Secure Gatekeeper Handler Starter
FSMA
AVPCC
KAVMonitorService
Norman NJeeves
NVCScheduler
nvcoas
Norman ZANDA
PASSRV
SweepNet
SharedAccess
navapsvc
NPFMntor
Outpost Firewall
SAVScan
SBService
Symantec Core LC
ccEvtMgr
SNDSrvc
ccPwdSvc
SWEEPSRV.SYS
NOD32ControlCenter
NOD32Service
PCCPFW
Tmntsrv
AvxIni
XCOMM
ravmon8
SmcService
BlackICE
PersFW
McAfee Firewall
OutpostFirewall
NWService
alerter
sharedaccess
NISUM
NISSERV
vsmon
nwclnth
nwclntg
nwclnte
nwclntf
nwclntd
nwclntc
wuauserv
navapsvc
Symantec Core LC
SAVScan
kavsvc
DefWatch
Symantec AntiVirus Client
NSCTOP
Symantec Core LC
SAVScan
SAVFMSE
ccEvtMgr
McShield
AlertManger
McAfeeFramework
AVExch32Service
AVUPDService
McTaskManager
Network Associates Log Service
Outbreak Manager
MCVSRte
mcupdmgr.exe
AvgServ
AvgCore
AvgFsh
awhost32
Ahnlab task Scheduler
MonSvcNT
V3MonNT
V3MonSvc
FSDFWD
navapsvc
ccSetMgr
VisNetic AntiVirus Plug-in

The trojan is also able to terminate different system services. If the following entries exist, TR/Dldr.Bagle deletes them from the Windows Registry:

[HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\]
"Symantec NetDriver Monitor"=

[HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\]
"ccApp"=

[HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\]
"NAV CfgWiz"=

[HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\]
"SSC_UserPrompt"=

[HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\]
"McAfee Guardian"=

[HKCU\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\]
"McAfee.InstantUpdate.Monitor"=

[HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\]
"APVXDWIN"=

[HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\]
"KAV50"=

[HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\]
"avg7_cc"=

[HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\]
"avg7_emc"=

[HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\]
"Zone Labs Client"=

[HKLM\SOFTWARE\Symantec\]
%%

[HKLM\SOFTWARE\McAfee\]
%%

[HKLM\SOFTWARE\KasperskyLab\]
%%

[HKLM\SOFTWARE\Agnitum\]
%%

[HKLM\SOFTWARE\Panda Software\]
%%

[HKLM\SOFTWARE\Zone Labs\]

The trojan contains a list of URL's, from which it can download other components and store them in the Windows directory with different names. The list of URL's differs from one version to another.
Descripción insertada por Crony Walker el martes 15 de junio de 2004

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.