[virusinfo] Troj/BagleDl-R

From: "Mike" <mikebike@xxxxxxxxx>
To: virusinfo@xxxxxxxxxxxxx
Date: Mon, 27 Jun 2005 14:06:32 -0700
From; Sophos Alert System:

Name: Troj/BagleDl-R
Aliases: Email-Worm.Win32.Bagle.bq
Type: Trojan
Date: 27 June 2005

Sophos has issued protection for Troj/BagleDl-R.

Sophos has received many reports of this Trojan from the wild.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Note: The IDE issued for Troj/BagleDl-R at 27 June 2005 01:20:03
(GMT) has now been updated to enhance detection.

Information about Troj/BagleDl-R can be found at:
http://www.sophos.com/virusinfo/analyses/trojbagledlr.html

Troj/BagleDl-R is a downloader Trojan which will download, install and run new 
software without notification that it is doing so. 
Troj/BagleDl-R includes functionality to: 
- inject its code into EXPLORER.EXE
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security related 
applications 
When first run Troj/BagleDl-R copies itself to <System>\winshost.exe and 
creates the file <System>\wiwshost.exe. The file <System>\wiwshost.exe is also 
detected by Sophos as Troj/BagleDl-R. 
The following registry entries are created to run winshost.exe on startup: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winshost.exe
<System>\winshost.exe 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winshost.exe
<System>\winshost.exe 
Registry entries are set as follows: 
HKLM\SYSTEM\CurrentControlSet\Services\Alerter
Start
00000004 
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
00000004 
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
00000004 
Troj/BagleDl-R creates a new version of the HOSTS file. The new HOSTS file will 
typically contain the following: 
127.0.0.1 localhost 
Troj/BagleDl-R also attempts to modify or delete the following registry 
entries: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec NetDriver Monitor 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NAV CfgWiz 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SSC_UserPrompt 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
McAfee Guardian 
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
McAfee.InstantUpdate.Monitor 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
APVXDWIN 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KAV50 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avg7_cc 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avg7_emc 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Zone Labs Client 
HKLM\SOFTWARE\Symantec 
HKLM\SOFTWARE\McAfee 
HKLM\SOFTWARE\KasperskyLab 
HKLM\SOFTWARE\Agnitum 
HKLM\SOFTWARE\Panda Software 
HKLM\SOFTWARE\Zone Labs 
Troj/BagleDl-R then attempts to download files from remote websites and run 
them. 
Troj/BagleDl-R may also run MSPAINT.EXE in an attempt to obfuscate itself. 

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for Troj/BagleDl-R from:

http://www.sophos.com/downloads/ide/bagdl-r.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member
[virusinfo] Troj/BagleDl-R

Other related posts:
