Upon executing Email-Worm:W32/Bagle.HR for the first time it shows the following dialog box as a decoy:



It will display the same message regardless of the file chosen.

In order to check itself for first execution, Email-Worm:W32/Bagle.HR checks the following registry entry:

• HKEY_CURRENT_USERSoftwareFirstRRRun
  FirstRR23232Run = dword:00000001
  

If the said registry entry is available it will no longer show the dialog box.

Email-Worm:W32/Bagle.HR drops copies of itself in the following path and filename:

• %Local AppData folder%hidiresflec003.exe
• %Local AppData folder%hidireshidr.exe

It also drops the following rootkit driver to hide its malicious activities:

• %Local AppData folder%hidiresm_hook.sys

To enable automatic execution upon boot, it adds the following auto start entry but waits for 300000 ms before adding it:

• HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
  drvsyskit = %Local AppData folder%hidireshidr.exe
  

It also adds its rootkit driver component as a service by adding the following changes to the registry:

• HKLMSYSTEMCurrentControlSetServicesm_hook
  Type = dword:00000001
  Start = dword:00000004
  DisplayName = "Empty"
  ImagePath = %Local Application Data Folder%hidiresm_hook.sys
  

Email-Worm:W32/Bagle.HR deletes the following key in order to prevent the user from booting into safemode:

• HKLMSYSTEMCurrentControlSetControlSafeBoot

Email-Worm:W32/Bagle.HR downloads other malware from the following links:

• http://5050clothing.com/mu[REMOVED].php
• http://axelero.hu/mu[REMOVED].php
• http://calamarco.com/mu[REMOVED].php
• http://charlesspaans.com/mu[REMOVED].php
• http://chatsk.wz.cz/mu[REMOVED].php
• http://checkalertusa.com/mu[REMOVED].php
• http://cibernegocios.com.ar/mu[REMOVED].php
• http://cof666.shockonline.net/mu[REMOVED].php
• http://comaxtechnologies.net/mu[REMOVED].php
• http://concellodesandias.com/mu[REMOVED].php
• http://dev.jintek.com/mu[REMOVED].php
• http://dogoodesign.ch/mu[REMOVED].php
• http://donchef.com/mu[REMOVED].php
• http://erich-kaestner-schule-donaueschingen.de/mu[REMOVED].php
• http://foxvcoin.com/mu[REMOVED].php
• http://grupdogus.de/mu[REMOVED].php
• http://hotchillishop.de/mu[REMOVED].php
• http://ilikesimple.com/mu[REMOVED].php
• http://innovation.ojom.net/mu[REMOVED].php
• http://kisalfold.com/mu[REMOVED].php
• http://knickimbit.de/mu[REMOVED].php
• http://kremz.ru/mu[REMOVED].php
• http://massgroup.de/mu[REMOVED].php
• http://poliklinika-vajnorska.sk/mu[REMOVED].php
• http://svatba.viskot.cz/mu[REMOVED].php
• http://systemforex.de/mu[REMOVED].php
• http://uwua132.org/mu[REMOVED].php
• http://v-v-kopretiny.ic.cz/mu[REMOVED].php
• http://vanvakfi.com/mu[REMOVED].php
• http://vega-sps.com/mu[REMOVED].php
• http://vidus.ru/mu[REMOVED].php
• http://viralstrategies.com/mu[REMOVED].php
• http://Vivamodelhobby.com/mu[REMOVED].php
• http://vkinfotech.com/mu[REMOVED].php
• http://vproinc.com/mu[REMOVED].php
• http://vytukas.com/mu[REMOVED].php
• http://waisenhaus-kenya.ch/mu[REMOVED].php
• http://watsrisuphan.org/mu[REMOVED].php
• http://wbecanada.com/mu[REMOVED].php
• http://web-comp.hu/mu[REMOVED].php
• http://webfull.com/mu[REMOVED].php
• http://welvo.com/mu[REMOVED].php
• http://wvpilots.org/mu[REMOVED].php
• http://www.ag.ohio-state.edu/mu[REMOVED].php
• http://www.ag.ohio-state.edu/mu[REMOVED].php
• http://www.chapisteriadaniel.com/mu[REMOVED].php
• http://www.chittychat.com/mu[REMOVED].php
• http://www.cort.ru/mu[REMOVED].php
• http://www.crfj.com/mu[REMOVED].php
• http://www.kersten.de/mu[REMOVED].php
• http://www.kljbwadersloh.de/mu[REMOVED].php
• http://www.voov.de/mu[REMOVED].php
• http://www.walsch.de/mu[REMOVED].php
• http://www.wchat.cz/mu[REMOVED].php
• http://www.wg-aufbau-bautzen.de/mu[REMOVED].php
• http://www.wzhuate.com/mu[REMOVED].php
• http://xotravel.ru/mu[REMOVED].php
• http://yeniguntugla.com/mu[REMOVED].php
• http://zebrachina.net/mu[REMOVED].php
• http://zsnabreznaknm.sk/mu[REMOVED].php

The rootkit driver terminates and deletes the following files that are related to antivirus software:

• _AVP32.EXE
• _AVPCC.EXE
• _AVPM.EXE
• a2guard.exe
• aavshield.exe
• AckWin32.exe
• ADVCHK.EXE
• AhnSD.exe
• airdefense.exe
• ALERTSVC.EXE
• ALMon.exe
• ALOGSERV.EXE
• ALsvc.exe
• amon.exe
• Anti-Trojan.exe
• AntiVirScheduler
• AntiVirService
• ANTS.EXE
• APVXDWIN.EXE
• Armor2net.exe
• ashAvast.exe
• ashDisp.exe
• ashEnhcd.exe
• ashMaiSv.exe
• ashPopWz.exe
• ashServ.exe
• ashSimpl.exe
• ashSkPck.exe
• ashWebSv.exe
• aswUpdSv.exe
• ATCON.EXE
• ATUPDATER.EXE
• ATWATCH.EXE
• AUPDATE.EXE
• AUTODOWN.EXE
• AUTOTRACE.EXE
• AUTOUPDATE.EXE
• avciman.exe
• Avconsol.exe
• AVENGINE.EXE
• avgamsvr.exe
• avgcc.exe
• AVGCC32.EXE
• AVGCTRL.EXE
• avgemc.exe
• avgfwsrv.exe
• AVGNT.EXE
• avgntdd
• avgntmgr
• AVGSERV.EXE
• AVGUARD.EXE
• avgupsvc.exe
• avinitnt.exe
• AvkServ.exe
• AVKService.exe
• AVKWCtl.exe
• AVP.EXE
• AVP32.EXE
• avpcc.exe
• avpm.exe
• AVPUPD.EXE
• AVSCHED32.EXE
• avsynmgr.exe
• AVWUPD32.EXE
• AVWUPSRV.EXE
• AVXMONITOR9X.EXE
• AVXMONITORNT.EXE
• AVXQUAR.EXE
• BackWeb-4476822.exe
• bdmcon.exe
• bdnews.exe
• bdoesrv.exe
• bdss.exe
• bdsubmit.exe
• bdswitch.exe
• blackd.exe
• blackice.exe
• cafix.exe
• ccApp.exe
• ccEvtMgr.exe
• ccProxy.exe
• ccSetMgr.exe
• CFIAUDIT.EXE
• ClamTray.exe
• ClamWin.exe
• Claw95.exe
• Claw95cf.exe
• cleaner.exe
• cleaner3.exe
• CliSvc.exe
• CMGrdian.exe
• cpd.exe
• DefWatch.exe
• DOORS.EXE
• DrVirus.exe
• drwadins.exe
• drweb32w.exe
• drwebscd.exe
• DRWEBUPW.EXE
• ESCANH95.EXE
• ESCANHNT.EXE
• ewidoctrl.exe
• EzAntivirusRegistrationCheck.exe
• F-AGNT95.EXE
• F-PROT95.EXE
• F-Sched.exe
• F-StopW.EXE
• FAMEH32.EXE
• FAST.EXE
• FCH32.EXE
• FireSvc.exe
• FireTray.exe
• FIREWALL.EXE
• fpavupdm.exe
• freshclam.exe
• FRW.EXE
• fsav32.exe
• fsavgui.exe
• fsbwsys.exe
• fsdfwd.exe
• FSGK32.EXE
• fsgk32st.exe
• fsguiexe.exe
• FSM32.EXE
• FSMA32.EXE
• FSMB32.EXE
• fspex.exe
• fssm32.exe
• gcasDtServ.exe
• gcasServ.exe
• GIANTAntiSpywareMain.exe
• GIANTAntiSpywareUpdater.exe
• GUARD.EXE
• GUARDGUI.EXE
• GuardNT.exe
• HRegMon.exe
• Hrres.exe
• HSockPE.exe
• HUpdate.EXE
• iamapp.exe
• iamserv.exe
• ICLOAD95.EXE
• ICLOADNT.EXE
• ICMON.EXE
• ICSSUPPNT.EXE
• ICSUPP95.EXE
• ICSUPPNT.EXE
• IFACE.EXE
• INETUPD.EXE
• InocIT.exe
• InoRpc.exe
• InoRT.exe
• InoTask.exe
• InoUpTNG.exe
• IOMON98.EXE
• isafe.exe
• ISATRAY.EXE
• ISRV95.EXE
• ISSVC.exe
• JEDI.EXE
• KAV.exe
• kavmm.exe
• KAVPF.exe
• KavPFW.exe
• KAVStart.exe
• KAVSvc.exe
• KAVSvcUI.EXE
• KMailMon.EXE
• KPfwSvc.EXE
• KWatch.EXE
• livesrv.exe
• LOCKDOWN2000.EXE
• LogWatNT.exe
• lpfw.exe
• LUALL.EXE
• LUCOMSERVER.EXE
• Luupdate.exe
• MCAGENT.EXE
• mcmnhdlr.exe
• mcregwiz.exe
• Mcshield.exe
• MCUPDATE.EXE
• mcvsshld.exe
• MINILOG.EXE
• MONITOR.EXE
• MonSysNT.exe
• MOOLIVE.EXE
• MpEng.exe
• mpssvc.exe
• MSMPSVC.exe
• myAgtSvc.exe
• myagttry.exe
• navapsvc.exe
• NAVAPW32.EXE
• NavLu32.exe
• NAVW32.EXE
• NDD32.EXE
• NeoWatchLog.exe
• NeoWatchTray.exe
• NISSERV
• NISUM.EXE
• NMAIN.EXE
• nod32.exe
• nod32krn.exe
• nod32kui.exe
• NORMIST.EXE
• notstart.exe
• npavtray.exe
• NPFMNTOR.EXE
• npfmsg.exe
• NPROTECT.EXE
• NSCHED32.EXE
• NSMdtr.exe
• NssServ.exe
• NssTray.exe
• ntrtscan.exe
• NTXconfig.exe
• NUPGRADE.EXE
• NVC95.EXE
• Nvcod.exe
• Nvcte.exe
• Nvcut.exe
• NWService.exe
• OfcPfwSvc.exe
• OUTPOST.EXE
• PAV.EXE
• PavFires.exe
• PavFnSvr.exe
• Pavkre.exe
• PavProt.exe
• pavProxy.exe
• pavprsrv.exe
• pavsrv51.exe
• PAVSS.EXE
• pccguide.exe
• PCCIOMON.EXE
• pccntmon.exe
• PCCPFW.exe
• PcCtlCom.exe
• PCTAV.exe
• PERSFW.EXE
• pertsk.exe
• PERVAC.EXE
• PNMSRV.EXE
• POP3TRAP.EXE
• POPROXY.EXE
• prevsrv.exe
• PsImSvc.exe
• QHM32.EXE
• QHONLINE.EXE
• QHONSVC.EXE
• QHPF.EXE
• qhwscsvc.exe
• RavMon.exe
• RavTimer.exe
• Realmon.exe
• REALMON95.EXE
• Rescue.exe
• rfwmain.exe
• Rtvscan.exe
• RTVSCN95.EXE
• RuLaunch.exe
• SAVAdminService.exe
• SAVMain.exe
• savprogress.exe
• SAVScan.exe
• SCAN32.EXE
• ScanningProcess.exe
• sched.exe
• sdhelp.exe
• SERVIC~1.EXE
• SHSTAT.EXE
• SiteCli.exe
• smc.exe
• SNDSrvc.exe
• SPBBCSvc.exe
• SPHINX.EXE
• spiderml.exe
• spidernt.exe
• Spiderui.exe
• SpybotSD.exe
• SPYXX.EXE
• SS3EDIT.EXE
• stopsignav.exe
• swAgent.exe
• swdoctor.exe
• SWNETSUP.EXE
• symlcsvc.exe
• SymProxySvc.exe
• SymSPort.exe
• SymWSC.exe
• SYNMGR.EXE
• TAUMON.EXE
• TBMon.exe
• TC.EXE
• tca.exe
• TCM.EXE
• TDS-3.EXE
• TeaTimer.exe
• TFAK.EXE
• THAV.EXE
• THSM.EXE
• Tmas.exe
• tmlisten.exe
• Tmntsrv.exe
• TmPfw.exe
• tmproxy.exe
• TNBUtil.exe
• TRJSCAN.EXE
• Up2Date.exe
• UPDATE.EXE
• UpdaterUI.exe
• upgrepl.exe
• Vba32ECM.exe
• Vba32ifs.exe
• vba32ldr.exe
• Vba32PP3.exe
• VBSNTW.exe
• vchk.exe
• vcrmon.exe
• VetTray.exe
• VirusKeeper.exe
• VPTRAY.EXE
• vrfwsvc.exe
• VRMONNT.EXE
• vrmonsvc.exe
• vrrw32.exe
• VSECOMR.EXE
• Vshwin32.exe
• vsmon.exe
• vsserv.exe
• VsStat.exe
• WATCHDOG.EXE
• WebProxy.exe
• Webscanx.exe
• WEBTRAP.EXE
• WGFE95.EXE
• Winaw32.exe
• winroute.exe
• winss.exe
• winssnotify.exe
• WRADMIN.EXE
• WRCTRL.EXE
• xcommsvr.exe
• zatutor.exe
• ZAUINST.EXE
• zlclient.exe
• zonealarm.exe

Last update 11 April 2007

 

TOP