My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Bagle.CZ@mm

LOW
MEDIUM
35146

Symptoms


Increased internet and hard disk activity.
Presence of the following registry keys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,winshost.exe = "winshost.exe" ,
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,winshost.exe = "winshost.exe" ,
    HKCU\SOFTWARE\FirstRun,FirstRunRR = 1
Presence of the following files:
    %WINDIR%\winshost.exe
    %WINDIR%\wiwshost.exe
    %WINDIR%\_re_file.exe

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Petrea Ruslan, virus researcher

Technical Description:


Win32.Bagle.CZ@mm is a downloader part of a mass mailing worm Bagle.

Usually it comes as an archive of 16,830 bytes, containing a file named "price_list.exe", with size of 35,146 bytes, with icon of a .txt file.
When runned, the worm copies itself as %WINSYS%\winshost.exe, drops %WINSYS%\wiwshost.exe file with size of 8,302 bytes, and injects it's code in "Explorer.exe" process.

Also the worm creates registry keys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,winshost.exe = "winshost.exe" ,
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,winshost.exe = "winshost.exe" ,
in order to be executed at startup.

Worm deletes all the entries from file "%WinSys%\drivers\etc\hosts" , leaving there one single line,
    127.0.0.1 localhost

It stops antivirus service processes from the list below:
    wuauserv
    PAVSRV
    PAVFNSVR
    PSIMSVC
    Pavkre
    PavProt
    PREVSRV
    PavPrSrv
    SharedAccess
    navapsvc
    NPFMntor
    Outpost Firewall
    SAVScan
    SBService
    Symantec Core LC
    ccEvtMgr
    SNDSrvc
    ccPwdSvc
    ccSetMgr.exe
    SPBBCSvc
    KLBLMain
    avg7alrt
    avg7updsvc
    vsmon
    CAISafe
    avpcc
    fsbwsys
    backweb client - 4476822
    backweb client-4476822
    fsdfwd
    F-Secure Gatekeeper Handler Starter
    FSMA
    KAVMonitorService
    navapsvc
    NProtectService
    Norton Antivirus Server
    VexiraAntivirus
    dvpinit
    dvpapi
    schscnt
    BackWeb Client - 7681197
    F-Secure Gatekeeper Handler Starter
    FSMA
    AVPCC
    KAVMonitorService
    Norman NJeeves
    NVCScheduler
    nvcoas
    Norman ZANDA
    PASSRV
    SweepNet
    SWEEPSRV.SYS
    NOD32ControlCenter
    NOD32Service
    PCCPFW
    Tmntsrv
    AvxIni
    XCOMM
    ravmon8
    SmcService
    BlackICE
    PersFW
    McAfee Firewall
    OutpostFirewall
    NWService
    alerter
    sharedaccess
    NISUM
    NISSERV
    vsmon
    nwclnth
    nwclntg
    nwclnte
    nwclntf
    nwclntd
    nwclntc
    wuauserv
    navapsvc
    Symantec Core LC
    SAVScan
    kavsvc
    DefWatch
    Symantec AntiVirus Client
    NSCTOP
    Symantec Core LC
    SAVScan
    SAVFMSE
    ccEvtMgr
    navapsvc
    ccSetMgr
    VisNetic AntiVirus Plug-in
    McShield
    AlertManger
    McAfeeFramework
    AVExch32Service
    AVUPDService
    McTaskManager
    Network Associates Log Service
    Outbreak Manager
    MCVSRte
    mcupdmgr.exe
    AvgServ
    AvgCore
    AvgFsh
    awhost32
    Ahnlab task Scheduler
    MonSvcNT
    V3MonNT
    V3MonSvc
    FSDFWD

It continuously checks the following registry keys and deletes them if they are present:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client
    HKLM\SOFTWARE\Symantec HKLM\SOFTWARE\McAfee
    HKLM\SOFTWARE\KasperskyLab
    HKLM\SOFTWARE\Agnitum HKLM\SOFTWARE\Panda Software
    HKLM\SOFTWARE\Zone Labs

It looks on all the hard drives on the system for files named:
    CCSETMGR.EXE
    CCEVTMGR.EXE
    NAVAPSVC.EXE
    NPFMNTOR.EXE
    symlcsvc.exe
    SPBBCSvc.exe
    SNDSrvc.exe
    ccApp.exe
    ccl30.dll
    ccvrtrst.dll
    LUALL.EXE
    AUPDATE.EXE
    Luupdate.exe
    LUINSDLL.DLL
    RuLaunch.exe
    CMGrdian.exe
    Mcshield.exe
    outpost.exe
    Avconsol.exe
    Vshwin32.exe
    VsStat.exe
    Avsynmgr.exe
    kavmm.exe
    Up2Date.exe
    KAV.exe
    avgcc.exe
    avgemc.exe
    zonealarm.exe
    zatutor.exe
    zlavscan.dll
    zlclient.exe
    isafe.exe
    cafix.exe
    vsvault.dll
    av.dll
    vetredir.dll

and marks them to be renamed at startup to:
    C1CSETMGR.EXE
    CC1EVTMGR.EXE
    NAV1APSVC.EXE
    NPFM1NTOR.EXE
    s1ymlcsvc.exe
    SP1BBCSvc.exe
    SND1Srvc.exe
    ccA1pp.exe
    cc1l30.dll
    ccv1rtrst.dll
    LUAL1L.EXE
    AUPD1ATE.EXE
    Luup1date.exe
    LUI1NSDLL.DLL
    RuLa1unch.exe
    CM1Grdian.exe
    Mcsh1ield.exe
    outp1ost.exe
    Avc1onsol.exe
    Vshw1in32.exe
    Vs1Stat.exe
    Av1synmgr.exe
    kav12mm.exe
    Up222Date.exe
    K2A2V.exe
    avgc3c.exe
    avg23emc.exe
    \zonealarm.exe
    zatutor.exe
    zlavscan.dll
    zo3nealarm.exe
    zatu6tor.exe
    zl5avscan.dll
    zlcli6ent.exe
    is5a6fe.exe
    c6a5fix.exe
    vs6va5ult.dll
    a5v.dll
    ve6tre5dir.dll

also, if it finds file named "mysuperprog.exe" it deletes it.

it stops windows firewall service and terminates the following processes:
    NUPGRADE.EXE
    MCUPDATE.EXE
    ATUPDATER.EXE
    AUPDATE.EXE
    AUTOTRACE.EXE
    AUTOUPDATE.EXE
    FIREWALL.EXE
    ATUPDATER.EXE
    LUALL.EXE
    DRWEBUPW.EXE
    AUTODOWN.EXE
    NUPGRADE.EXE
    OUTPOST.EXE
    ICSSUPPNT.EXE
    ICSUPP95.EXE
    ESCANH95.EXE
    AVXQUAR.EXE
    ESCANHNT.EXE
    UPGRADER.EXE
    AVXQUAR.EXE
    AVWUPD32.EXE
    AVPUPD.EXE
    CFIAUDIT.EXE
    UPDATE.EXE

When runned for the first time the worm creates registry key
    HKCU\Software\FirstRun\FirstRunRR = 1
and opens a "Notepad.exe".

In any other cases it waits until the computer is connected to the internet and then downloads the main component of the worm, decripts it, saves it as %Windir%\_re_file.exe and then run it.