(Email-Worm.Win32.Bagle.bj (Kaspersky), W32/Bagle.CA.worm (Panda), TROJ_BAGLE.BH (Trend Micro))
Files: WINSHOST.EXE and WIWSHOST.EXE in the Windows\\System32 folder, and antivirus sites routed to localhost (i.e. disabled).
Use the BitDefender Removal Tool.
Mihai Neagu<br />
BitDefender Virus Researcher<br />
With signatures before 17 april 2005, the virus was detected as BehavesLike:Win32.SiteHijack because it disables the victim\'s computer to go to certain antivirus sites.
The virus arrives by mail, with various subjects and attachment names. The spreading was done manually, not by the worm itself.
When ran, the worm opens a notepad windows with the text: \"Sorry.\" and drops two files in the Windows/System32 directory:
The first file (WINSHOST.EXE) makes EXPLORER.EXE to load the second file (WIWSHOST.EXE) by creating a new thread in its address space. That is, the legitimate EXPLORER.EXE loads the infected file in memory and runs it, so you will not see any of the worm executables in task manager.
To run at each Windows session, the worm sets the following key:
Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\"winshost.exe\" = \"%SYSTEMDIR%\\winshost.exe\"
in both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. (%SYSTEMDIR% is the Windows/System32 directory)
Some antivirus web sites are prevented from loading, by overwriting the Windows/System32/Drivers/Etc/hosts file resolving domain names as 127.0.0.1 (localhost). You can however access them by using their IP addresses instead of domain names.
The worm also deletes or renames antivirus/firewall registry keys and files, so as to disable their protection. For instance, the worm renames the file ZONEALARM.EXE to ZO3NEALARM.EXE and so disabled at system restart.
Also some antivirus/firewall process are terminated, as most of worms do.
The worm tries to update itself by trying to download the file OSA.GIF from certain web sites and save it to Windows directory under the name: ILE.EXE and execute it.