From; Sophos Alert System: Name: Troj/BagleDl-M Type: Trojan Date: 4 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the April 2005 (3.92) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Sophos has received several reports of this Trojan from the wild. Information about Troj/BagleDl-M can be found at: http://www.sophos.com/virusinfo/analyses/trojbagledlm.html Troj/BagleDl-M is a Trojan for the Windows platform. The Trojan copies itself to the Windows system folder as winshost.exe and creates the following registry entries in order to run each time a user logs on: HKLM\Software\Microsoft\Windows\CurrentVersion\Run winshost.exe <Windows system folder>\winshost.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run winshost.exe <Windows system folder>\winshost.exe The Trojan also drops a file to the Windows system folder as wiwshost.exe. Troj/BagleDl-M may alter registry values under the following: HKLM\Software\Microsoft\DownloadManager <various entries> HKLM\SYSTEM\CurrentControlSet\Services\Alerter Start dword:00000004 (disabled) HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start dword:00000004 (disabled) HKLM\SYSTEM\CurrentControlSet\Services\wuauserv Start dword:00000004 (disabled) Troj/BagleDl-M attempts to disable other applications by removing the following registry values: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Symantec NetDriver Monitor HKLM\Software\Microsoft\Windows\CurrentVersion\Run ccApp HKLM\Software\Microsoft\Windows\CurrentVersion\Run NAV CfgWiz HKLM\Software\Microsoft\Windows\CurrentVersion\Run SSC_UserPrompt HKLM\Software\Microsoft\Windows\CurrentVersion\Run McAfee Guardian HKCU\Software\Microsoft\Windows\CurrentVersion\Run McAfee.InstantUpdate.Monitor HKLM\Software\Microsoft\Windows\CurrentVersion\Run APVXDWIN HKLM\Software\Microsoft\Windows\CurrentVersion\Run KAV50 HKLM\Software\Microsoft\Windows\CurrentVersion\Run avg7_cc HKLM\Software\Microsoft\Windows\CurrentVersion\Run avg7_emc HKLM\Software\Microsoft\Windows\CurrentVersion\Run Zone Labs Client HKLM\Software\Symantec HKLM\Software\McAfee HKLM\Software\KasperskyLab HKLM\Software\Agnitum HKLM\Software\Panda Software HKLM\Software\Zone Labs Troj/BagleDl-M searches for the following files and renames them to similar names in an attempt to avoid them being run by other processes: AUPDATE.EXE av.dll Avconsol.exe avgcc.exe avgemc.exe Avsynmgr.exe cafix.exe ccApp.exe CCEVTMGR.EXE ccl30.dll CCSETMGR.EXE ccvrtrst.dll CMGrdian.exe isafe.exe KAV.exe kavmm.exe LUALL.EXE LUINSDLL.DLL Luupdate.exe Mcshield.exe NAVAPSVC.EXE NPFMNTOR.EXE outpost.exe RuLaunch.exe SNDSrvc.exe SPBBCSvc.exe symlcsvc.exe Up2Date.exe vetredir.dll Vshwin32.exe VsStat.exe vsvault.dll zatutor.exe zlavscan.dll zlclient.exe zonealarm.exe For example, if the Trojan finds a file named zonealarm.exe it renames the file to zo3nealarm.exe. Troj/BagleDl-M writes the following data to the HOSTS file (typically located in <Windows system folder>\drivers\etc\) in an attempt to restrict access to several URLs: 127.0.0.1 ad.doubleclick.net 127.0.0.1 ad.fastclick.net 127.0.0.1 ads.fastclick.net 127.0.0.1 ar.atwola.com 127.0.0.1 atdmt.com 127.0.0.1 avp.ch 127.0.0.1 avp.com 127.0.0.1 avp.com 127.0.0.1 avp.ru 127.0.0.1 awaps.net 127.0.0.1 banner.fastclick.net 127.0.0.1 banners.fastclick.net 127.0.0.1 ca.com 127.0.0.1 ca.com 127.0.0.1 click.atdmt.com 127.0.0.1 clicks.atdmt.com 127.0.0.1 customer.symantec.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 download.microsoft.com 127.0.0.1 downloads.microsoft.com 127.0.0.1 downloads1.kaspersky-labs.com 127.0.0.1 downloads2.kaspersky-labs.com 127.0.0.1 downloads3.kaspersky-labs.com 127.0.0.1 downloads4.kaspersky-labs.com 127.0.0.1 engine.awaps.net 127.0.0.1 f-secure.com 127.0.0.1 f-secure.com 127.0.0.1 fastclick.net 127.0.0.1 ftp.f-secure.com 127.0.0.1 ftp.sophos.com 127.0.0.1 ftp://downloads1.kaspersky-labs.com/updates/ 127.0.0.1 ftp://ftp.avp.ch/updates/ 127.0.0.1 ftp://ftp.kasperskylab.ru/updates/ 127.0.0.1 ftp://updates3.kaspersky-labs.com/updates/ 127.0.0.1 go.microsoft.com 127.0.0.1 http://downloads1.kaspersky-labs.com/updates/ 127.0.0.1 http://updates1.kaspersky-labs.com/updates/ 127.0.0.1 http://updates2.kaspersky-labs.com/updates/ 127.0.0.1 http://updates3.kaspersky-labs.com/updates/ 127.0.0.1 http://updates4.kaspersky-labs.com/updates/ 127.0.0.1 http://updates5.kaspersky-labs.com/updates/ 127.0.0.1 http://www.kaspersky-labs.com/updates/ 127.0.0.1 http://www.kaspersky.ru/updates/ 127.0.0.1 ids.kaspersky-labs.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 kaspersky.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 localhost 127.0.0.1 mast.mcafee.com 127.0.0.1 mast.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 media.fastclick.net 127.0.0.1 msdn.microsoft.com 127.0.0.1 my-etrust.com 127.0.0.1 my-etrust.com 127.0.0.1 nai.com 127.0.0.1 nai.com 127.0.0.1 networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 office.microsoft.com 127.0.0.1 phx.corporate-ir.net 127.0.0.1 rads.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 secure.nai.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 service1.symantec.com 127.0.0.1 sophos.com 127.0.0.1 sophos.com 127.0.0.1 spd.atdmt.com 127.0.0.1 support.microsoft.com 127.0.0.1 symantec.com 127.0.0.1 symantec.com 127.0.0.1 trendmicro.com 127.0.0.1 update.symantec.com 127.0.0.1 update.symantec.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 us.mcafee.com 127.0.0.1 vil.nai.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.ru 127.0.0.1 windowsupdate.microsoft.com 127.0.0.1 www.avp.ch 127.0.0.1 www.avp.com 127.0.0.1 www.avp.com 127.0.0.1 www.avp.ru 127.0.0.1 www.awaps.net 127.0.0.1 www.ca.com 127.0.0.1 www.ca.com 127.0.0.1 www.f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 www.fastclick.net 127.0.0.1 www.grisoft.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.kaspersky.ru 127.0.0.1 www.mcafee.com 127.0.0.1 www.mcafee.com 127.0.0.1 www.my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 www.nai.com 127.0.0.1 www.nai.com 127.0.0.1 www.networkassociates.com 127.0.0.1 www.networkassociates.com 127.0.0.1 www.sophos.com 127.0.0.1 www.sophos.com 127.0.0.1 www.symantec.com 127.0.0.1 www.symantec.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.viruslist.com 127.0.0.1 www.viruslist.ru 127.0.0.1 www3.ca.com Download the IDE file from: http://www.sophos.com/downloads/ide/bagledlm.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member