From; Sophos Alert System: Name: Troj/BagleDl-R Aliases: Email-Worm.Win32.Bagle.bq Type: Trojan Date: 27 June 2005 Sophos has issued protection for Troj/BagleDl-R. Sophos has received many reports of this Trojan from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Note: The IDE issued for Troj/BagleDl-R at 27 June 2005 01:20:03 (GMT) has now been updated to enhance detection. Information about Troj/BagleDl-R can be found at: http://www.sophos.com/virusinfo/analyses/trojbagledlr.html Troj/BagleDl-R is a downloader Trojan which will download, install and run new software without notification that it is doing so. Troj/BagleDl-R includes functionality to: - inject its code into EXPLORER.EXE - modify the HOSTS file - disable other software, including anti-virus, firewall and security related applications When first run Troj/BagleDl-R copies itself to <System>\winshost.exe and creates the file <System>\wiwshost.exe. The file <System>\wiwshost.exe is also detected by Sophos as Troj/BagleDl-R. The following registry entries are created to run winshost.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run winshost.exe <System>\winshost.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winshost.exe <System>\winshost.exe Registry entries are set as follows: HKLM\SYSTEM\CurrentControlSet\Services\Alerter Start 00000004 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 00000004 HKLM\SYSTEM\CurrentControlSet\Services\wuauserv Start 00000004 Troj/BagleDl-R creates a new version of the HOSTS file. The new HOSTS file will typically contain the following: 127.0.0.1 localhost Troj/BagleDl-R also attempts to modify or delete the following registry entries: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Symantec NetDriver Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ccApp HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NAV CfgWiz HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSC_UserPrompt HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run McAfee Guardian HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run McAfee.InstantUpdate.Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run APVXDWIN HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KAV50 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avg7_cc HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avg7_emc HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Zone Labs Client HKLM\SOFTWARE\Symantec HKLM\SOFTWARE\McAfee HKLM\SOFTWARE\KasperskyLab HKLM\SOFTWARE\Agnitum HKLM\SOFTWARE\Panda Software HKLM\SOFTWARE\Zone Labs Troj/BagleDl-R then attempts to download files from remote websites and run them. Troj/BagleDl-R may also run MSPAINT.EXE in an attempt to obfuscate itself. Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for Troj/BagleDl-R from: http://www.sophos.com/downloads/ide/bagdl-r.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member