Home / malware Win32.Bagle.DC@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Bagle.DC@mm is also known as Email-Worm.Win32.Bagle.dg, Email-Worm.Win32.Bagle.dc, Troj/BagleDl-U, Troj/BagleDl-V.
Explanation :
The virus arrives as an executable in a zip file of an e-mail attachment
The zip file is cca 17 kb, and inside is an executable of cca 35 kb.
Consists of 5 components, mainly trojans, downloaders and droppers.
winshost.exe (~35 kb) - dropper 1
wiwshost.exe (~8 kb) - trojan/downloader 1
osa6.gif (~2 kb) - downloader 2
firewall_anti.exe (~95 kb) - dropper 2
firewall_anti.exe.dll (~70 kb) - trojan
Basicly, when run, the virus dropper creates and executes the trojan, which is injected
into explorer. Next, attempts to download and execute a file from a series of remote servers,
disables several services and applications related to security. Creates/overwrites the hosts
file with a default one. Starts the newly downloaded file, which will also download another
file, that is a dropper which creates/executes a trojan blocking av sites.
Note: since some of the virus components are independent, they may be updated and their
actions and sizes may vary slightly.
Once run, the virus (the dropper) does the following:
1. Creates the aforementioned keys and files mentioned in Symptoms.
2. Injects wiwshost.exe in explorer (which is the first dowloader)
Once wiwshost.exe (the trojan/downloader) is run, it does the folowing:
1. Deletes the following registry keys/entries:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"Symantec NetDriver Monitor"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"ccApp"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"NAV CfgWiz"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"SSC_UserPrompt"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"McAfee Guardian"
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun"McAfee.InstantUpdate.Monitor"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"APVXDWIN"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"KAV50"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"avg7_cc"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"avg7_emc"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"Zone Labs Client
HKLMSOFTWARESymantec
HKLMSOFTWAREMcAfee
HKLMSOFTWAREKasperskyLab
HKLMSOFTWAREAgnitum
HKLMSOFTWAREPanda Software
HKLMSOFTWAREone Labs
2. Disables the following services:
wuauservPAVSRVPAVFNSVRPSIMSVCPavkrePavProtPREVSRVPavPrSrvSharedAccessnavapsvcNPFMntorOutpost FirewallSAVScanSBServiceSymantec Core LCccEvtMgrSNDSrvcccPwdSvcccSetMgr.exeSPBBCSvcKLBLMainavg7alrtavg7updsvcvsmonCAISafeavpccfsbwsysbackweb client - 4476822backweb client-4476822fsdfwdF-Secure Gatekeeper Handler StarterFSMAKAVMonitorServicenavapsvcNProtectServiceNorton Antivirus ServerVexiraAntivirusdvpinitdvpapischscntBackWeb Client - 7681197F-Secure Gatekeeper Handler StarterFSMAAVPCCKAVMonitorServiceNorman NJeevesNVCSchedulernvcoasNorman ZANDAPASSRVSweepNetSWEEPSRV.SYSNOD32ControlCenterNOD32ServicePCCPFWTmntsrvAvxIniXCOMMravmon8SmcServiceBlackICEPersFWMcAfee FirewallOutpostFirewallNWServicealertersharedaccessNISUMNISSERVvsmonnwclnthnwclntgnwclntenwclntfnwclntdnwclntcwuauservnavapsvcSymantec Core LCSAVScankavsvcDefWatchSymantec AntiVirus ClientNSCTOPSymantec Core LCSAVScanSAVFMSEccEvtMgrnavapsvcccSetMgrVisNetic AntiVirus Plug-inMcShieldAlertMangerMcAfeeFrameworkAVExch32ServiceAVUPDServiceMcTaskManagerNetwork Associates Log ServiceOutbreak ManagerMCVSRtemcupdmgr.exeAvgServAvgCoreAvgFshawhost32Ahnlab task SchedulerMonSvcNTV3MonNTV3MonSvcFSDFWD
3. Creates a thread that terminates execution of the applications:
NUPGRADE.EXEMCUPDATE.EXEATUPDATER.EXEAUPDATE.EXEAUTOTRACE.EXEAUTOUPDATE.EXEFIREWALL.EXEATUPDATER.EXELUALL.EXEDRWEBUPW.EXEAUTODOWN.EXENUPGRADE.EXEOUTPOST.EXEICSSUPPNT.EXEICSUPP95.EXEESCANH95.EXEAVXQUAR.EXEESCANHNT.EXEUPGRADER.EXEAVXQUAR.EXEAVWUPD32.EXEAVPUPD.EXECFIAUDIT.EXEUPDATE.EXE
4. Renames the following files:
mysuperprog.exeCCSETMGR.EXECCEVTMGR.EXENAVAPSVC.EXENPFMNTOR.EXEsymlcsvc.exeSPBBCSvc.exeSNDSrvc.execcApp.execcl30.dllccvrtrst.dllLUALL.EXEAUPDATE.EXELuupdate.exeLUINSDLL.DLLRuLaunch.exeCMGrdian.exeMcshield.exeoutpost.exeAvconsol.exeVshwin32.exeVsStat.exeAvsynmgr.exekavmm.exeUp2Date.exeKAV.exeavgcc.exeavgemc.exePcCtlCom.exeTmntsrv.exeTmPfw.exezonealarm.exezatutor.exezlavscan.dllzlclient.exeisafe.execafix.exevsvault.dllav.dllvetredir.dllCCSETMGR.EXECCEVTMGR.EXENAVAPSVC.EXENPFMNTOR.EXEsymlcsvc.exeSPBBCSvc.exeSNDSrvc.execcApp.execcl30.dllccvrtrst.dllLUALL.EXEAUPDATE.EXELuupdate.exeLUINSDLL.DLLRuLaunch.exeCMGrdian.exeMcshield.exeoutpost.exeAvconsol.exeVshwin32.exeVsStat.exeAvsynmgr.exekavmm.exeUp2Date.exeKAV.exeavgcc.exeavgemc.exezonealarm.exezatutor.exezlavscan.dllzlclient.exeisafe.execafix.exevsvault.dllav.dllvetredir.dllC1CSETMGR.EXECC1EVTMGR.EXENAV1APSVC.EXENPFM1NTOR.EXEs1ymlcsvc.exeSP1BBCSvc.exeSND1Srvc.execcA1pp.execc1l30.dllccv1rtrst.dllLUAL1L.EXEAUPD1ATE.EXELuup1date.exeLUI1NSDLL.DLLRuLa1unch.exeCM1Grdian.exeMcsh1ield.exeoutp1ost.exeAvc1onsol.exeVshw1in32.exeVs1Stat.exeAv1synmgr.exekav12mm.exeUp222Date.exeK2A2V.exeavgc3c.exeavg23emc.exezonealarm.exezatutor.exezlavscan.dllzo3nealarm.exezatu6tor.exezl5avscan.dllzlcli6ent.exeis5a6fe.exec6a5fix.exevs6va5ult.dlla5v.dllve6tre5dir.dll
5. Attempts to download and execute osa6.gif from:
http://www.yannick-spruyt.behttp://www.yayadownload.comhttp://www.yesterdays.co.zahttp://www.yesterdays.co.zahttp://www.yshkj.comhttp://www.yshkj.comhttp://www.zakazcd.dp.uahttp://www.students.stir.ac.ukhttp://www.zenesoftware.comhttp://www.zentek.co.zahttp://www.czzm.comhttp://www.izoli.skhttp://www.zorbas.azhttp://www.zsbersala.edu.skhttp://www.triptonic.chhttp://www.tv-marina.comhttp://www.travelourway.comhttp://www.megaserve.nethttp://www.trgd.dobrcz.plhttp://www.mild.athttp://www.mild.athttp://www.kingsley.chhttp://www.mild.athttp://www.elvis-presley.chhttp://www.gomyhome.com.twhttp://www.ider.clhttp://www.ascolfibras.comhttp://www.on24.eehttp://www.xojc.comhttp://www.x-treme.czhttp://www.gymzn.czhttp://www.gymzn.czhttp://www.gymzn.czhttp://www.xiantong.nethttp://www.xmpie.comhttp://www.xmpie.comhttp://www.xmtd.comhttp://www.onlink.nethttp://www.discoteka-funfactory.comhttp://www.toussain.behttp://www.idcs.behttp://www.gepeters.orghttp://www.angham.dehttp://www.idaf.dehttp://www.bolz.athttp://www.societaet.dehttp://www.ppm-alliance.dehttp://www.udc-cassinadepecchi.ithttp://www.universe.skhttp://www.jingjuok.comhttp://www.gemtrox.com.twhttp://www.uspowerchair.comhttp://www.steripharm.comhttp://www.beall-cpa.comhttp://www.jcm-american.comhttp://www.vercruyssenelektro.behttp://www.centrovestecasa.ithttp://www.vet24h.comhttp://www.vinimeloni.comhttp://www.vnrvjiet.ac.inhttp://www.vote2fateh.comhttp://www.marketvw.comhttp://www.formholz.athttp://www.checkonemedia.nlhttp://www.fotomax.fihttp://www.vw.press-bank.plhttp://www.wamba.asn.auhttp://www.cz-wanjia.comhttp://www.czwanqing.comhttp://www.wdlp.co.zahttp://www.automobilonline.dehttp://www.bangyan.cnhttp://www.21ebuild.comhttp://www.eagle.com.cnhttp://www.eagleclub.com.cnhttp://www.eagleclub.com.cnhttp://www.sanjinyuan.comhttp://www.designgong.orghttp://www.fermegaroy.comhttp://www.welchcorp.comhttp://www.snsphoto.comhttp://www.soeco.orghttp://www.softmajor.ruhttp://www.solt3.orghttp://www.sqnsolutions.comhttp://www.spacium.bizhttp://www.speedcom.home.plhttp://www.trago.com.pthttp://www.spirit-in-steel.athttp://www.spy.azhttp://www.st-paulus-bonn.dehtdocshttp://www.stbs.com.hkhttp://www.acsohio.comhttp://www.olva.com.pehttp://www.subsplanet.comhttp://www.sungodbio.comhttp://www.superbetcs.comhttp://www.vnn.vnhttp://www.sydolo.comhttp://www.szdiheng.comhttp://www.agria.huhttp://www.externet.huhttp://www.hondenservice.behttp://www.ehc.huhttp://www.tcicampus.nethttp://www.contentproject.comhttp://www.festivalteatrooccidente.comhttp://www.techni.com.cnhttp://www.festivalteatrooccidente.comhttp://www.thaifast.comhttp://www.thaiventure.comhttp://www.andi.com.vnhttp://www.replayu.comhttp://www.th-mutan.comhttp://www.thetexasoutfitter.comhttp://www.tmhcsd1987.friko.plhttp://www.thenextstep.tvhttp://www.thenextstep.tvhttp://www.wesartproductions.comhttp://www.wilsonscountry.comhttp://www.windstar.plhttp://www.wise-industries.comhttp://www.witold.plhttp://www.witold.plhttp://www.51.nethttp://www.slovanet.skhttp://www.wombband.comhttp://www.datanet.huwww.datanet.huhttp://www.uw.huhttp://www.dgy.com.cnhttp://www.bs-security.dehttp://www.die-fliesen.dehttp://www.dom-invest.com.plhttp://www.engelhardtgmbh.dehttp://www.triapex.czhttp://www.fahrschule-herb.dehttp://www.fahrschule-lesser.dehttp://www.gimex-messzeuge.dehttp://www.inside-tgweb.dehttp://www.jue-bo.comhttp://www.niko.dehttp://www.nikogmbh.comhttp://www.renegaderc.comhttp://www.sachsenbuecher.dehttp://www.scvanravenswaaij.nlhttp://www.spoden.dehttp://www.sportnf.comhttp://www.sweb.czhttp://www.tg-sandhausen-basketball.dehttp://www.thefunkiest.comhttp://www.thefunkiest.comhttp://www.jeoushinn.comhttp://www.presley.ch
6. Overwrites the hosts file
7. Opens notepad
Once osa6.gif is executed, it:
1. Downloads and executes 2.jpg file from keysi.ru
2. Creates a thread that listens on port 0x3C4
Once 2.jpg is executed, it does:
1. Creates a copy of itself as
2. Creates the firewall_anti.exe.dll in %WINDOWS% folder which is the mass mailer component
3. Creates the registry key in order to run at startup:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
"firewall_anti.exe"="%WINDOWS%firewall_anti.exe"
Once firewall_anti.exe.dll is run, it does the following:
1. Access is blocked for the following sites:
ftpav.ca.comwww.pandasoftware.compandasoftware.comclamav.netwww.clamav.netwww.bitdefender.combitdefender.comravantivirus.comwww.ravantivirus.comdrweb.ruwww.drweb.comdrweb.comantivir.dewww.antivir.de216.200.68.152212.113.20.6963.210.193.1284.53.142.2284.53.142.6kaspersky.rugrisoft.comwww3.ca.comwww.viruslist.ruwww.viruslist.comwww.trendmicro.comwww.symantec.comwww.sophos.comwww.networkassociates.comwww.nai.comwww.my-etrust.comwww.mcafee.comwww.kaspersky.ruwww.kaspersky.comwww.kaspersky-labs.comwww.grisoft.comwww.fastclick.netwww.f-secure.comwww.awaps.netwww.avp.ruwww.avp.comwww.avp.chwindowsupdate.microsoft.comviruslist.ruviruslist.comvil.nai.comus.mcafee.comupdates5.kaspersky-labs.comupdates4.kaspersky-labs.comupdates3.kaspersky-labs.comupdates2.kaspersky-labs.comupdates1.kaspersky-labs.comupdates.symantec.comupdate.symantec.comtrendmicro.comsymantec.comsupport.microsoft.comspd.atdmt.comsophos.comservice1.symantec.comsecurityresponse.symantec.comsecure.nai.comrads.mcafee.comphx.corporate-ir.netoffice.microsoft.comnetworkassociates.comnai.commy-etrust.commsdn.microsoft.commedia.fastclick.netmcafee.commast.mcafee.comliveupdate.symantecliveupdate.comliveupdate.symantec.comkaspersky.comkaspersky-labs.comids.kaspersky-labs.comgo.microsoft.comftp.sophos.comftp.kasperskylab.ruftp.f-secure.comftp.downloads2.kaspersky-labs.comftp.avp.chfastclick.netf-secure.comengine.awaps.netdownloads4.kaspersky-labs.comdownloads3.kaspersky-labs.comdownloads2.kaspersky-labs.comdownloads1.kaspersky-labs.comdownloads.microsoft.comdownloads-us3.kaspersky-labs.comdownloads-us2.kaspersky-labs.comdownloads-us1.kaspersky-labs.comdownloads-eu1.kaspersky-labs.comdownload.microsoft.comdownload.mcafee.comdispatch.mcafee.comcustomer.symantec.comclicks.atdmt.comclick.atdmt.comwww.ca.comca.combanners.fastclick.netbanner.fastclick.netawaps.netavp.ruavp.comavp.chatdmt.comar.atwola.comads.fastclick.netad.fastclick.netreport.bitdefender.comupgrade.bitdefender.comad.doubleclick.net
by registering itself as a packet filter thus preventing update of security related products.Last update 21 November 2011