My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus




Increased internet and hard disk activity.
Presence of the following registry keys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,winshost.exe = "winshost.exe" ,
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,winshost.exe = "winshost.exe" ,
    HKCU\SOFTWARE\FirstRun,FirstRunRR = 1
Presence of the following files:

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Petrea Ruslan, virus researcher

Technical Description:

Win32.Bagle.CZ@mm is a downloader part of a mass mailing worm Bagle.

Usually it comes as an archive of 16,830 bytes, containing a file named "price_list.exe", with size of 35,146 bytes, with icon of a .txt file.
When runned, the worm copies itself as %WINSYS%\winshost.exe, drops %WINSYS%\wiwshost.exe file with size of 8,302 bytes, and injects it's code in "Explorer.exe" process.

Also the worm creates registry keys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,winshost.exe = "winshost.exe" ,
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,winshost.exe = "winshost.exe" ,
in order to be executed at startup.

Worm deletes all the entries from file "%WinSys%\drivers\etc\hosts" , leaving there one single line, localhost

It stops antivirus service processes from the list below:
    Outpost Firewall
    Symantec Core LC
    backweb client - 4476822
    backweb client-4476822
    F-Secure Gatekeeper Handler Starter
    Norton Antivirus Server
    BackWeb Client - 7681197
    F-Secure Gatekeeper Handler Starter
    Norman NJeeves
    Norman ZANDA
    McAfee Firewall
    Symantec Core LC
    Symantec AntiVirus Client
    Symantec Core LC
    VisNetic AntiVirus Plug-in
    Network Associates Log Service
    Outbreak Manager
    Ahnlab task Scheduler

It continuously checks the following registry keys and deletes them if they are present:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client
    HKLM\SOFTWARE\Agnitum HKLM\SOFTWARE\Panda Software

It looks on all the hard drives on the system for files named:

and marks them to be renamed at startup to:

also, if it finds file named "mysuperprog.exe" it deletes it.

it stops windows firewall service and terminates the following processes:

When runned for the first time the worm creates registry key
    HKCU\Software\FirstRun\FirstRunRR = 1
and opens a "Notepad.exe".

In any other cases it waits until the computer is connected to the internet and then downloads the main component of the worm, decripts it, saves it as %Windir%\_re_file.exe and then run it.