[virusinfo] Troj/BagleDl-M

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Fri, 04 Mar 2005 12:34:21 -0800

From; Sophos Alert System:

Name: Troj/BagleDl-M
Type: Trojan
Date: 4 March 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the April 2005 (3.92) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

Sophos has received several reports of this Trojan from the
wild.


Information about Troj/BagleDl-M can be found at:
http://www.sophos.com/virusinfo/analyses/trojbagledlm.html

Troj/BagleDl-M is a Trojan for the Windows platform. 
The Trojan copies itself to the Windows system folder as winshost.exe and 
creates the following registry entries in order to run each time a user logs 
on: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
winshost.exe
<Windows system folder>\winshost.exe 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winshost.exe
<Windows system folder>\winshost.exe 
The Trojan also drops a file to the Windows system folder as wiwshost.exe. 
Troj/BagleDl-M may alter registry values under the following: 
HKLM\Software\Microsoft\DownloadManager
<various entries> 
HKLM\SYSTEM\CurrentControlSet\Services\Alerter
Start
dword:00000004 (disabled) 
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
dword:00000004 (disabled) 
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
dword:00000004 (disabled) 
Troj/BagleDl-M attempts to disable other applications by removing the following 
registry values: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Symantec NetDriver Monitor 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ccApp 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NAV CfgWiz 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SSC_UserPrompt 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Guardian 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
McAfee.InstantUpdate.Monitor 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
APVXDWIN 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
KAV50 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
avg7_cc 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
avg7_emc 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Zone Labs Client 
HKLM\Software\Symantec 
HKLM\Software\McAfee 
HKLM\Software\KasperskyLab 
HKLM\Software\Agnitum 
HKLM\Software\Panda Software 
HKLM\Software\Zone Labs 
Troj/BagleDl-M searches for the following files and renames them to similar 
names in an attempt to avoid them being run by other processes: 
AUPDATE.EXE
av.dll
Avconsol.exe
avgcc.exe
avgemc.exe
Avsynmgr.exe
cafix.exe
ccApp.exe
CCEVTMGR.EXE
ccl30.dll
CCSETMGR.EXE
ccvrtrst.dll
CMGrdian.exe
isafe.exe
KAV.exe
kavmm.exe
LUALL.EXE
LUINSDLL.DLL
Luupdate.exe
Mcshield.exe
NAVAPSVC.EXE
NPFMNTOR.EXE
outpost.exe
RuLaunch.exe
SNDSrvc.exe
SPBBCSvc.exe
symlcsvc.exe
Up2Date.exe
vetredir.dll
Vshwin32.exe
VsStat.exe
vsvault.dll
zatutor.exe
zlavscan.dll
zlclient.exe
zonealarm.exe 
For example, if the Trojan finds a file named zonealarm.exe it renames the file 
to zo3nealarm.exe. 
Troj/BagleDl-M writes the following data to the HOSTS file (typically located 
in <Windows system folder>\drivers\etc\) in an attempt to restrict access to 
several URLs: 
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 engine.awaps.net
127.0.0.1 f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 fastclick.net
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 ftp://downloads1.kaspersky-labs.com/updates/
127.0.0.1 ftp://ftp.avp.ch/updates/
127.0.0.1 ftp://ftp.kasperskylab.ru/updates/
127.0.0.1 ftp://updates3.kaspersky-labs.com/updates/
127.0.0.1 go.microsoft.com
127.0.0.1 http://downloads1.kaspersky-labs.com/updates/
127.0.0.1 http://updates1.kaspersky-labs.com/updates/
127.0.0.1 http://updates2.kaspersky-labs.com/updates/
127.0.0.1 http://updates3.kaspersky-labs.com/updates/
127.0.0.1 http://updates4.kaspersky-labs.com/updates/
127.0.0.1 http://updates5.kaspersky-labs.com/updates/
127.0.0.1 http://www.kaspersky-labs.com/updates/
127.0.0.1 http://www.kaspersky.ru/updates/
127.0.0.1 ids.kaspersky-labs.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 localhost
127.0.0.1 mast.mcafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www3.ca.com

Download the IDE file from:
http://www.sophos.com/downloads/ide/bagledlm.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Troj/BagleDl-M

1. Home
2. virusinfo
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---