Home / malware Win32.Bagle.{DF,DL}@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Bagle.{DF,DL}@mm.
Explanation :
A feature of these worms is that they are broken in components which use different attack vectors to infiltrate the user machine. Particularly there is a downloader component which arrives as attachment in e-mail which in turn downloads from a predefined list of sites other components and tries to execute them. It is very dangerous because the author could put other components (backdoors, password stealers, etc.) online any time and if the virus is running on the computer they will be downloaded and executed automatically! Below are the details of identified components. File sizes are used to identify them in this description rather that file names because they usually change / randomly generate their file names upon propagation. Also file sizes are only approximate because their author changes them on a periodic basis and there are multiple slightly different files with the same role.
1. File size: ~35 kilobytes
This component is a dropper which arrives as attachment in e-mails. Drops the following two files in the windows system directory: "winshost.exe" (component 1) and "wiwshost.exe" (component 2)."wishost.exe" is an identical copy of itself (component 1) and references are inserted in HKEY_CURRENT_USER SOFTWAREMicrosoftWindowsCurrentVersionRun and HKEY_LOCAL_MACHINSOFTWAREMicrosoftWindowsCurrentVersionRun to ensure that this component is executed at every startup. Component 2 is a DLL which is injected in "explorer.exe" to bypass detection by desktop firewalls (which would report that explorer.exe is trying to access the internet).
2. File size: ~8 kilobytes
This component is dropped by Component 1 in the windows system directory and is inserted in explorer.exe. It does the following things:
╖ It resets the host file (found in <windows>system32driversetc) to the standard contents:
127.0.0.1 localhost
╖ Tries to stop the following services in the order presented in below (the fact that some services are present multiple times means that this component tries multiple times to terminate them)
wuauserv, PAVSRV, PAVFNSVR, PSIMSVC, Pavkre, PavProt, PREVSRV, PavPrSrv, SharedAccess, navapsvc, NPFMntor, Outpost Firewall, SAVScan, SBService, Symantec Core LC, ccEvtMgr, SNDSrvc, ccPwdSvc, ccSetMgr.exe, SPBBCSvc, KLBLMain, avg7alrt, avg7updsvc, vsmon, CAISafe, avpcc, fsbwsys, backweb client - 4476822, backweb client-4476822, fsdfwd, F-Secure Gatekeeper, Handler Starter, FSMA, KAVMonitorService, navapsvc, NProtectService, Norton Antivirus Server, VexiraAntivirus, dvpinit, dvpapi, schscnt, BackWeb Client - 7681197, F-Secure Gatekeeper Handler Starter, FSMA, AVPCC, KAVMonitorService, Norman NJeeves, NVCScheduler, nvcoas, Norman ZANDA, PASSRV, SweepNet, SWEEPSRV.SYS, NOD32ControlCenter, NOD32Service, PCCPFW, Tmntsrv, AvxIni, XCOMM, ravmon8, SmcService, BlackICE, PersFW, McAfee Firewall, OutpostFirewall, NWService, alerter, sharedaccess, NISUM, NISSERV, vsmon, nwclnth, nwclntg, nwclnte, nwclntf, nwclntd, nwclntc, wuauserv, navapsvc, Symantec Core LC, SAVScan, kavsvc, DefWatch, Symantec AntiVirus Client, NSCTOP, Symantec Core LC, SAVScan, SAVFMSE, ccEvtMgr, navapsvc, ccSetMgr, VisNetic AntiVirus Plug-in, McShield, AlertManger, McAfeeFramework, AVExch32Service, AVUPDService, McTaskManager, Network Associates Log Service, Outbreak Manager, MCVSRte, mcupdmgr.exe, AvgServ, AvgCore, AvgFsh, awhost32, Ahnlab task Scheduler, MonSvcNT, V3MonNT, V3MonSvc, FSDFWD
╖ It creates two threads which run in the background and remove the registry keys presented below:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
- the values: Symantec NetDriver Monitor, ccApp, NAV CfgWiz, SSC_UserPrompt, McAfee Guardian, McAfee.InstantUpdate.Monitor, APVXDWIN, KAV50, avg7_cc, avg7_emc, Zone Labs Client
HKEY_LOCAL_MACHINESOFTWARESymantec
HKEY_LOCAL_MACHINESOFTWAREMcAfee
HKEY_LOCAL_MACHINESOFTWAREKasperskyLab
HKEY_LOCAL_MACHINESOFTWAREAgnitum
HKEY_LOCAL_MACHINESOFTWAREPanda Software
HKEY_LOCAL_MACHINESOFTWAREone Labs
It also scan all hard drives for the files presented in listed below and tries to delete them (this is done not once, but repeated in a cycle as long as the computer is running, so installation of any targeted security product under these circumstances will fail). If it canÆt delete any of the found files, it instructs windows to delete them on the next startup.
CCSETMGR.EXE, CCEVTMGR.EXE, NAVAPSVC.EXE, NPFMNTOR.EXE, symlcsvc.exe, SPBBCSvc.exe, SNDSrvc.exe, ccApp.exe, ccl30.dll, ccvrtrst.dll, LUALL.EXE, AUPDATE.EXE, Luupdate.exe, LUINSDLL.DLL, RuLaunch.exe, CMGrdian.exe, Mcshield.exe, outpost.exe, Avconsol.exe, Vshwin32.exe, VsStat.exe, Avsynmgr.exe, kavmm.exe, Up2Date.exe, KAV.exe, avgcc.exe, avgemc.exe, PcCtlCom.exe, Tmntsrv.exe, TmPfw.exe, zonealarm.exe, zatutor.exe, zlavscan.dll, zlclient.exe, isafe.exe, cafix.exe, vsvault.dll, av.dll, vetredir.dll, CCSETMGR.EXE, CCEVTMGR.EXE, NAVAPSVC.EXE, NPFMNTOR.EXE, symlcsvc.exe, SPBBCSvc.exe, SNDSrvc.exe, ccApp.exe, ccl30.dll, ccvrtrst.dll, LUALL.EXE, AUPDATE.EXE, Luupdate.exe, LUINSDLL.DLL, RuLaunch.exe, CMGrdian.exe, Mcshield.exe, outpost.exe, Avconsol.exe, Vshwin32.exe, VsStat.exe, Avsynmgr.exe, kavmm.exe, Up2Date.exe, KAV.exe, avgcc.exe, avgemc.exe, zonealarm.exe, zatutor.exe, zlavscan.dll, zlclient.exe, isafe.exe, cafix.exe, vsvault.dll, av.dll, vetredir.dll, C1CSETMGR.EXE, CC1EVTMGR.EXE, NAV1APSVC.EXE, NPFM1NTOR.EXE, s1ymlcsvc.exe, SP1BBCSvc.exe, SND1Srvc.exe, ccA1pp.exe, cc1l30.dll, ccv1rtrst.dll, LUAL1L.EXE, AUPD1ATE.EXE, Luup1date.exe, LUI1NSDLL.DLL, RuLa1unch.exe, CM1Grdian.exe, Mcsh1ield.exe, outp1ost.exe, Avc1onsol.exe, Vshw1in32.exe, Vs1Stat.exe, Av1synmgr.exe, kav12mm.exe, Up222Date.exe, K2A2V.exe, avgc3c.exe, avg23emc.exe, zonealarm.exe, zatutor.exe, zlavscan.dll, zo3nealarm.exe, zatu6tor.exe, zl5avscan.dll, zlcli6ent.exe, is5a6fe.exe, c6a5fix.exe, vs6va5ult.dll, a5v.dll, ve6tre5dir.dll
╖ It tries to stop the services responsible for Windows Update and the integrated firewall.
╖ It creates a thread, which repeatedly tries to terminate the processes (not services) presented below
NUPGRADE.EXE, MCUPDATE.EXE, ATUPDATER.EXE, AUPDATE.EXE, AUTOTRACE.EXE, AUTOUPDATE.EXE, FIREWALL.EXE, ATUPDATER.EXE, LUALL.EXE, DRWEBUPW.EXE, AUTODOWN.EXE, NUPGRADE.EXE, OUTPOST.EXE, ICSSUPPNT.EXE, ICSUPP95.EXE, ESCANH95.EXE, AVXQUAR.EXE, ESCANHNT.EXE, UPGRADER.EXE, AVXQUAR.EXE, AVWUPD32.EXE, AVPUPD.EXE, CFIAUDIT.EXE, UPDATE.EXE
╖ It creates a thread, which tries to download the files from the hosts presented below, waiting 6 hours between two consecutive downloads. After a file downloaded, it is placed in the windows directory and executed (the files that are actually present on any of the websites û most are missing û are executable files, the gif extension is only added to bypass content filters)
yannick-spruyt.be, yayadownload.com, yesterdays.co.za, yshkj.com, zakazcd.dp.ua, students.stir.ac.uk, zenesoftware.com, zentek.co.za, czzm.com, izoli.sk, zorbas.az, zsbersala.edu.sk, triptonic.ch, tv-marina.com, travelourway.com, megaserve.net, trgd.dobrcz.pl, mild.at, kingsley.ch, elvis-presley.ch, gomyhome.com.tw, ider.cl, ascolfibras.com, on24.ee, xojc.com, x-treme.cz,á gymzn.cz, xiantong.net, xmpie.com, xmtd.com, onlink.net, discoteka-funfactory.com, toussain.be, idcs.be, gepeters.org, angham.de, idaf.de, bolz.at, societaet.de, ppm-alliance.de, udc-cassinadepecchi.it, universe.sk, jingjuok.com, gemtrox.com.tw, uspowerchair.com, steripharm.com, beall-cpa.com, jcm-american.com, vercruyssenelektro.be, centrovestecasa.it, vet24h.com, vinimeloni.com, vnrvjiet.ac.in, vote2fateh.com, marketvw.com, formholz.at, checkonemedia.nl, fotomax.fi, vw.press-bank.pl, wamba.asn.au, cz-wanjia.com, czwanqing.com, wdlp.co.za, automobilonline.de, bangyan.cn, 21ebuild.com, eagle.com.cn, eagleclub.com.cn, sanjinyuan.com, designgong.org, fermegaroy.com, welchcorp.com, snsphoto.com, soeco.org, softmajor.ru, solt3.org, sqnsolutions.com, spacium.biz, speedcom.home.pl, trago.com.pt, spirit-in-steel.at, spy.az, st-paulus-bonn.de, stbs.com.hk, acsohio.com, olva.com.pe, subsplanet.com, sungodbio.com, superbetcs.com, vnn.vn, sydolo.com, szdiheng.com, agria.hu, externet.hu, hondenservice.be, ehc.hu, tcicampus.net, contentproject.com, festivalteatrooccidente.com, techni.com.cn, thaifast.com, thaiventure.com, andi.com.vn, replayu.com, th-mutan.com, thetexasoutfitter.com, tmhcsd1987.friko.pl, thenextstep.tv, wesartproductions.com, wilsonscountry.com, windstar.pl, wise-industries.com, witold.pl, 51.net, slovanet.sk, wombband.com, datanet.hu, uw.hu, dgy.com.cn, bs-security.de, die-fliesen.de, dom-invest.com.pl, engelhardtgmbh.de, triapex.cz, fahrschule-herb.de, fahrschule-lesser.de, gimex-messzeuge.de, inside-tgweb.de, jue-bo.com, niko.de, nikogmbh.com, renegaderc.com, sachsenbuecher.de, scvanravenswaaij.nl, spoden.de, sportnf.com, sweb.cz, tg-sandhausen-basketball.de, thefunkiest.com, jeoushinn.com, presley.ch
3. File size: ~3 kilobytes
This file is downloaded by ôComponent 2ö and run in the windows directory. It in turn downloads a file from the server keysi.ru masked as a jpeg image and places it in the windows directory with a name generated from the current time containing numbers (for example: ô305419896.exeö). Then it executes it. This component also creates a listening socket on port 1084, which, when connected to, does nothing but disconnects after 15 seconds.
4. File size: ~9 kilobytes
This file is also downloaded by ôComponent 2ö and executed in the windows directory. It in turn drops Component 5 and Component 6 in the windows temp folder and executes them.
5. File size: ~2 kilobytes
This is a variant of Component 3 which performs the same actions.
6. File size: ~5 kilobytes
This searches the hard disk for e-mail addresses. Files with extensions presented below are searched and the result is uploaded through a script located on the server netriverbank.com or kuhne.ru (depending on the version). Finally it drops a batch file named ôa.batö with the help of which it erases itself. It marks the fact that the collecting of addresses is finished by creating a value named "3trrt6" in the registry key "HKEY_CURRENT_USERSoftwareztrtewr". This is checked at program start and if present the collection of addresses is not repeated.
.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .wsh, .adb, .tbb, .sht, .xls, .oft, .uin, .cgi, .mht, .dhtm, .jsp
7. File size: ~31 kilobytes
This is a mass mailer component of the worm. It downloads the e-mail addresses from one the addresses listed below and sends a zipped copy of "Component 1" to that address (this copy is contained internally). The attachment can have names like: price.zip, price2.zip, price_new.zip, price_09.zip, 09_price.zip, newprice.zip, new_price.zip, new__price.zip.
http://clickhare.com/images/
http://amerikansk-bulldog.dk/images/
http://eventpeopleforyou.com/help/
http://fyeye.com/lyra/
http://ligapichangueras.cl/images/
http://ekshrine.com/images/
http://directeenhuis.nl/images/
http://creacionesartisticasandaluzas.com/bovedas/Last update 21 November 2011