[virusinfo] W32/Bagle.dldr

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Wed, 02 Mar 2005 15:22:59 -0800

From; McAfee Dispatch'

VIRUS ADVISORY: W32/Bagle.dldr - Medium Risk 
------------------------------------------------------------ 
Current VirusScan users with DAT 4437 are protected from 
this threat. Learn more about W32/Bagle.dldr here: 
http://us.mcafee.com/root/campaign.asp?cid=13783 

FreeScan checks for W32/Bagle.dldr. 
Scan now: 
http://us.mcafee.com/root/campaign.asp?cid=13782 
========================================== 

What is it? 
 
Mass-spammed over the past 24 hours, W32/Bagle.dldr is 
a Medium Risk Trojan downloader that tries to: 

1)Open a communication port on your computer 
2)Download a .jpg picture file from various sites 
3)Terminate security services like anti-virus updating 

Unlike earlier variants, W32/Bagle.dldr does not appear 
to mass-mail itself to stolen email contacts. 

Note: To fortify your anti-virus defense against threats 
like W32/Bagle.dldr that need Internet access to spread, 
we recommend installing McAfee Personal Firewall Plus: 

http://us.mcafee.com/root/campaign.asp?cid=11276 

How do I know if I've been infected? 

W32/Bagle.dldr copies itself to the Windows\System32 directory 
as winshost.exe, which VirusScan detects as W32/Bagle.dll.gen. 

How do I find out more? 

View details about W32/Bagle.dldr here. 

http://us.mcafee.com/root/campaign.asp?cid=13783 
Virus Characteristics
-- Update 1st March, 2005 -- 

Due to increased prevalence, the risk assessment of this threat has been raised 
to MEDIUM. 
The specified DAT files will be released early to address this threat.

New variants of this Bagle downloader have been mass-spammed in the last 12 
hours. 
These variants are not known at present to be dropped by any mass-mailing Bagle 
variants, and these variants do not mass-mail themselves.

This variant copies itself to the %WinDir% \system32 as WINSHOST.EXE (34, 304 
bytes) and adds the following registry hooks:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DownloadManager 
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe 
It drops a file wiwshost.exe (18,944 bytes), which is detected by 4333DATs and 
above as W32/Bagle.dll.gen . 
This file gets injected into the EXPLORER process and tries to download a file 
zo2.jpg from various sites. (Refer to Symptoms).
 It also terminates security services like its predecessors and in some cases 
renames the main security program executable. 

Sets to "disable" the following services:

HKLM\System\CurrentControlSet\Services\wuauserv 
HKLM\System\CurrentControlSet\Services\SharedAccess 
HKLM\System\CurrentControlSet\Services\vsmon 
HKLM\System\CurrentControlSet\Services\Alerter 
HKLM\System\CurrentControlSet\Services\wuauserv 
HKLM\System\CurrentControlSet\Services\McShield 
HKLM\System\CurrentControlSet\Services\McAfeeFramework 
HKLM\System\CurrentControlSet\Services\McTaskManager 
Attempts to delete the following keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Symantec NetDriver Monitor 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ccApp 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
NAV CfgWiz 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SSC_UserPrompt 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
McAfee Guardian   
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
McAfee.InstantUpdate.Monitor  
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
APVXDWIN 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
KAV50  
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
avg7_cc  
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
avg7_emc 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client 
It also modifies the file %WinDir% \system32\drivers\etc\hosts to prevent the 
user and any running software from contacting certain security websites. 
The trojanized hosts file is detected as "trojan QHosts" since DAT version 
4354. 

The trojan disables any configured HTTP proxy.



--------------------------------------------------------------------------------


The last 3 Bagle Variants (.bb@MM , .bc@MM, .bd@MM) attempt to download a file 
named G.JPG from various sites and to execute it. 
In the meantime, some of those sites were hosting an executeable file.

When this file gets executed, it copies itself to the %WinDir% \system32 as 
WINSHOST.EXE (7172 bytes) and drops another file named WIDSHOST.EXE (11264 
bytes) which get injected into the EXPLORER process and tries to download a 
ZOO.JPG from various sites.

Proactive detection:
Detection and removal of the dropped file is included since 4335 DATs 
(03/08/04) as W32/Bagle.dll.gen

Indications of Infection
The trojan tries to kill the following processes:

VPUPD.EXE 
CFIAUDIT.EXE 
UPDATE.EXE 
NUPGRADE.EXE 
MCUPDATE.EXE 
ATUPDATER.EXE 
AUPDATE.EXE 
AUTOTRACE.EXE 
AUTOUPDATE.EXE 
FIREWALL.EXE 
ATUPDATER.EXE 
LUALL.EXE 
DRWEBUPW.EXE 
AUTODOWN.EXE 
NUPGRADE.EXE 
OUTPOST.EXE 
ICSSUPPNT.EXE 
ICSUPP95.EXE 
ESCANH95.EXE  

Outgoing TCP connections to port 80 (HTTP) are established, and it tries to 
download a file from the following list 
(Note:   Many Bagle variants attempt to download files from a very large list 
of sites; in fact most of the sites listed are actually believed to be decoys 
and were never found to be hosting anything malicious): 

http://www.amanit.ru/[..]zoo.jpg 
http://www.anthonyflanagan.com/[..]zoo.jpg 
http://www.approved1stmortgage.com/[..]zoo.jpg 
http://www.argument.h12.ru/[..]zoo.jpg 
http://www.arkebek.de/[..]zoo.jpg 
http://www.artek.org/[..]zoo.jpg 
http://www.asianfestival.nl/[..]zoo.jpg 
http://www.astergut.at/[..]zoo.jpg 
http://www.aviation-center.de/[..]zoo.jpg 
http://www.bbsh.org/[..]zoo.jpg 
http://www.besino.com/[..]zoo.jpg 
http://www.bestbuy.de/[..]zoo.jpg 
http://www.beta.mtw.ru/[..]zoo.jpg 
http://www.bga-gsm.ru/[..]zoo.jpg 
http://www.blessino.com/[..]zoo.jpg 
http://www.blueeyeinc.com/[..]zoo.jpg 
http://www.breaklight.be/[..]zoo.jpg 
http://www.brzesko.net.pl/[..]zoo.jpg 
http://www.catsystem.com.kg/[..]zoo.jpg 
http://www.cdnpartner.com.pl/[..]zoo.jpg 
http://www.ceskyhosting.cz/[..]zoo.jpg 
http://www.channeland.com/[..]zoo.jpg 
http://www.compsolutionstore.com/[..]zoo.jpg 
http://www.concept.kg/[..]zoo.jpg 
http://www.corpsite.com/[..]zoo.jpg 
http://www.couponcapital.net/[..]zoo.jpg 
http://www.DarrkSydebaby.com/[..]zoo.jpg 
http://www.dehut-westerhoven.nl/[..]zoo.jpg 
http://www.dhl.kg/[..]zoo.jpg 
http://www.dierollendedisco.de/[..]zoo.jpg 
http://www.discobaradventure.be/[..]zoo.jpg 
http://www.e-nfo.com/[..]zoo.jpg 
http://www.e-power.com.cn/[..]zoo.jpg 
http://www.ecobank.kg/[..]zoo.jpg 
http://www.elenalazar.com/[..]zoo.jpg 
http://www.epicbiz.com/[..]zoo.jpg 
http://www.europa.kg/[..]zoo.jpg 
http://www.everett.wednet.edu/[..]zoo.jpg 
http://www.externet.hu/[..]zoo.jpg 
http://www.forester.kg/[..]zoo.jpg 
http://www.fotocliparts.de/[..]zoo.jpg 
http://www.fotonw.org/[..]zoo.jpg 
http://www.freesites.com.br/[..]zoo.jpg 
http://www.funbunker.de/[..]zoo.jpg 
http://www.funworld.tv/[..]zoo.jpg 
http://www.gameser.com@xxxxxxxxxxxxxxxxx/[..]zoo.jpg 
http://www.gci-bln.de/[..]zoo.jpg 
http://www.gcnet.ru/[..]zoo.jpg 
http://www.giantrevenue.com/[..]zoo.jpg 
http://www.himpsi.org/[..]zoo.jpg 
http://www.i3dvr.com/[..]zoo.jpg 
http://www.ibigmart.net/[..]zoo.jpg 
http://www.idb-group.net/[..]zoo.jpg 
http://www.illusionoflife.net/[..]zoo.jpg 
http://www.infocuspromo.com/[..]zoo.jpg 
http://www.irinaswelt.de/[..]zoo.jpg 
http://www.jansenboiler.com/[..]zoo.jpg 
http://www.jasnet.pl/[..]zoo.jpg 
http://www.jcribeiro.com/[..]zoo.jpg 
http://www.jewelleryamberproducts.com/[..]zoo.jpg 
http://www.jimvann.com/[..]zoo.jpg 
http://www.jldr.ca/[..]zoo.jpg 
http://www.jordanramey.net/[..]zoo.jpg 
http://www.joy-musik-sound.de/[..]zoo.jpg 
http://www.justrepublicans.com/[..]zoo.jpg 
http://www.katel.kg/[..]zoo.jpg 
http://www.knicks.nl/[..]zoo.jpg 
http://www.koebers.pl/[..]zoo.jpg 
http://www.kogaionon.com/[..]zoo.jpg 
http://www.kplus.kg/[..]zoo.jpg 
http://www.kradtraining.de/[..]zoo.jpg 
http://www.kranenberg.de/[..]zoo.jpg 
http://www.kranenberg.de:113547@/[..]zoo.jpg 
http://www.kstrus.com.pl/[..]zoo.jpg 
http://www.ktsonline.de/[..]zoo.jpg 
http://www.lahelaino.com/[..]zoo.jpg 
http://www.lawform.com.au/[..]zoo.jpg 
http://www.leetexgroup.com/[..]zoo.jpg 
http://www.leshrak.de/[..]zoo.jpg 
http://www.leshrak.de:prophets@/[..]zoo.jpg 
http://www.logoseiten.de/[..]zoo.jpg 
http://www.magicbottle.com.tw/[..]zoo.jpg 
http://www.mcuserver.cz/[..]zoo.jpg 
http://www.mega-spass.com/[..]zoo.jpg 
http://www.mega.kg/[..]zoo.jpg 
http://www.mepbisu.de/[..]zoo.jpg 
http://www.mepmh.de/[..]zoo.jpg 
http://www.mtfdesign.com/[..]zoo.jpg 
http://www.mtransit.kg/[..]zoo.jpg 
http://www.neotech.kg/[..]zoo.jpg 
http://www.nikonfotoshare.com/[..]zoo.jpg 
http://www.novosti.kg/[..]zoo.jpg 
http://www.ok.kg/[..]zoo.jpg 
http://www.onepositiveplace.org/[..]zoo.jpg 
http://www.online.kg/[..]zoo.jpg 
http://www.orangesuburban.5u.com/[..]zoo.jpg 
http://www.otv.ch/[..]zoo.jpg 
http://www.pageantpage.com/[..]zoo.jpg 
http://www.pankration.com/[..]zoo.jpg 
http://www.para-agility.com/[..]zoo.jpg 
http://www.pdxracing.net/[..]zoo.jpg 
http://www.pfadfinder-leobersdorf.com/[..]zoo.jpg 
http://www.pipni.cz/[..]zoo.jpg 
http://www.pjwstk.edu.pl/[..]zoo.jpg 
http://www.polizeimotorrad.de/[..]zoo.jpg 
http://www.proway-consulting.com/[..]zoo.jpg 
http://www.pugetsoundyc.org/[..]zoo.jpg 
http://www.pyrlandia-boogie.pl/[..]zoo.jpg 
http://www.qphoto.co.za/[..]zoo.jpg 
http://www.raecoinc.com/[..]zoo.jpg 
http://www.realgps.com/[..]zoo.jpg 
http://www.realty.kg/[..]zoo.jpg 
http://www.redlightpictures.com/[..]zoo.jpg 
http://www.reliance-yachts.com/[..]zoo.jpg 
http://www.relocationflorida.com/[..]zoo.jpg 
http://www.rentalstation.com/[..]zoo.jpg 
http://www.rieraquadros.com.br/[..]zoo.jpg 
http://www.roaming.kg/[..]zoo.jpg 
http://www.sacohalle.be/[..]zoo.jpg 
http://www.scanex-medical.fi/[..]zoo.jpg 
http://www.scoping4success.com/[..]zoo.jpg 
http://www.sert.ru/[..]zoo.jpg 
http://www.sigi.lu/[..]zoo.jpg 
http://www.spadochron.pl/[..]zoo.jpg 
http://www.ssc.kg/[..]zoo.jpg 
http://www.ssmifc.ca/[..]zoo.jpg 
http://www.stadtmeyers.de/[..]zoo.jpg 
http://www.stadtmeyers.de:R2D2c3po@/[..]zoo.jpg 
http://www.sterlingirb.com/[..]zoo.jpg 
http://www.sunassetholdings.com/[..]zoo.jpg 
http://www.szantomierz.art.pl/[..]zoo.jpg 
http://www.szosa.pl/[..]zoo.jpg 
http://www.tambourenvereine.ch/[..]zoo.jpg 
http://www.tarnow.opoka.org.pl/[..]zoo.jpg 
http://www.tc-muraene.com/[..]zoo.jpg 
http://www.tc-muraene.com:hunter@/[..]zoo.jpg 
http://www.theroyalregistry.com/[..]zoo.jpg 
http://www.transportation.gov.bh/[..]zoo.jpg 
http://www.tumar.kg/[..]zoo.jpg 
http://www.tunguska.hu/[..]zoo.jpg 
http://www.turkeyhomes.com/[..]zoo.jpg 
http://www.turkeyhomes.com@/[..]zoo.jpg 
http://www.ulpiano.org/[..]zoo.jpg 
http://www.unicity.pl/[..]zoo.jpg 
http://www.vbw.info/[..]zoo.jpg 
http://www.velezcourtesymanagement.com/[..]zoo.jpg 
http://www.vorrix.com/[..]zoo.jpg 
http://www.webpark.pl/[..]zoo.jpg 
http://www.wecompete.com/[..]zoo.jpg 
http://www.wp.pl/[..]zoo.jpg 
http://www.wwwebad.com/[..]zoo.jpg 
http://www.xpager321.wz.cz/[..]zoo.jpg 
http://www.yamdiamonds.com/[..]zoo.jpg 
http://www.zander-yachting.com/[..]zoo.jpg 

Please feel free to forward this dispatch to any interested 
friends, family and associates. 

Subscribe: If you received this message from a friend and 
would like to subscribe to eSecurity News, virus alerts and 
special offers, go here. 
==> http://dispatch.mcafee.com/us/sub.asp 


View our privacy policy. 
==> http://us.mcafee.com/root/campaign.asp?cid=8207 
 
3965 Freedom Circle, Santa Clara, CA 95054, (408) 992-8599 
© 2005, McAfee, Inc. All Rights Reserved.

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Bagle.dldr

1. Home
2. virusinfo
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---