My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Bagle.BD - BG @mm

MEDIUM
MEDIUM
~30 K (packed / encrypted)
(Bagle.PAC (kaspersky))

Symptoms

1) Unusually high network traffic
2) Weird behaviour of the windows explorer (crashes)
3) The user cannot access AntiVirus - related web sites
4) Firewall, antivirus and other security programs not being able to execute
5) Presence of the files winshost.exe, wiwshost.exe in the Windows System folder

Removal instructions:

Let BitDefender delete the files it found infected. Delete the specific registry keys from HKLM and HKCU.

Analyzed By

BitDefender Team

Technical Description:

The files come packed with PeX, a popular PE file encryption utility.

PeX-compressed/encrypted files are fairly easy to decrypt / unpack, although PeX makes use of many tricks, like generating exception (after it has previously set up an exception handler), anti-disassembling macros (like jumping in the middle on an instruction) etc.

The Bagle trojan overwrites the hosts file with a 3783-byte buffer, that contains:

127.0.0.1 localhost
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 engine.awaps.net
127.0.0.1 fastclick.net
127.0.0.1 f-secure.com
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 go.microsoft.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.ru
127.0.0.1 ftp:/ /ftp.kasperskylab.ru/updates/
127.0.0.1 ftp:/ /ftp.avp.ch/updates/
127.0.0.1 http:/ /www.kaspersky.ru/updates/
127.0.0.1 http:/ /updates1.kaspersky-labs.com/updates/
127.0.0.1 http:/ /updates3.kaspersky-labs.com/updates/
127.0.0.1 http:/ /updates4.kaspersky-labs.com/updates/
127.0.0.1 http:/ /updates2.kaspersky-labs.com/updates/
127.0.0.1 http:/ /updates5.kaspersky-labs.com/updates/
127.0.0.1 http:/ /downloads1.kaspersky-labs.com/updates/
127.0.0.1 http:/ /www.kaspersky-labs.com/updates/
127.0.0.1 ftp:/ /updates3.kaspersky-labs.com/updates/
127.0.0.1 ftp:/ /downloads1.kaspersky-labs.com/updates/
127.0.0.1 www3.ca.com
127.0.0.1 ids.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com

therefore disables access to most AV sites.

It is interesting to mention that the worm uses the hardcoded path of the hosts file (%system32%\drivers\etc). This path can be modified (with a simple registry setting) making this worm "feature" unusable.

The worm injects code into the Windows Explorer Application (explorer.exe). Therefore, all of the worm\'s malicious actions appear to be executed by the Windows Explorer.

The worm also acts as a downloader; it attempts to download a file from a set of specific hosts and execute it.

The worm also has anti-antivirus features; it attempts to delete several registry keys belonging to AV/Firewall products, as well as their services.