F-Secure Virus Descriptions : Bagle.BB
[Summary] | [Detailed Description] | [Detection]
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
| NAME: | Bagle.BB |
| ALIAS: | Email-Worm.Win32.Bagle.bb, Email-Worm.Win32.Bagle.pac |
This trojan dropper appeared on March 1st, 2005. The dropper is
sent by Bagle.be worm as an attachment to its infected e-mails.
The dropper is sent inside a ZIP archive. The distribution was
quite high, so we set Radar Level 2 for this dropper.
The dropped downloader is detected as 'Email-Worm.Win32.Bagle.bb'.
Later there appeared several more droppers that were dropping
the same downloader:
http://www.f-secure.com/v-descs/bagle_bd.shtml
http://www.f-secure.com/v-descs/bagle_bg.shtml
The dropper is a PE executable file 34304 bytes long. The dropped
file is a DLL file 18944 bytes long. The dropper is packed, the
DLL file is not packed.
Installation to system
When the dropper's file is run, it copies itself to Windows
System directory as WINSHOST.EXE and drops a DLL file named
WIWSHOST.EXE there. This DLL file is then injected into
Explorer.exe process.
The dropper/injector creates 2 startup keys for its file in
Windows Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe" = "%winsysdir%\winshost.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe" = "%winsysdir%\winshost.exe"
where '%winsysdir%' represents Windows System folder. This is
done to run the dropper every time Windows starts.
The downloader and its payload
The WIWSHOST.EXE file is mainly the downloader, but it also
affects anti-virus and security software. When it is run, it
first of all modifies the hosts file to block access to the
following locations:
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
ftp://ftp.kasperskylab.ru/updates/
ftp://ftp.avp.ch/updates/
http://www.kaspersky.ru/updates/
http://updates1.kaspersky-labs.com/updates/
http://updates3.kaspersky-labs.com/updates/
http://updates4.kaspersky-labs.com/updates/
http://updates2.kaspersky-labs.com/updates/
http://updates5.kaspersky-labs.com/updates/
http://downloads1.kaspersky-labs.com/updates/
http://www.kaspersky-labs.com/updates/
ftp://updates3.kaspersky-labs.com/updates/
ftp://downloads1.kaspersky-labs.com/updates/
www3.ca.com
ids.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
update.symantec.com
download.mcafee.com
www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
kaspersky-labs.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
www.trendmicro.com
www.grisoft.com
Then the trojan kills services with the following names:
wuauserv
PAVSRV
PAVFNSVR
PSIMSVC
Pavkre
PavProt
PREVSRV
PavPrSrv
SharedAccess
navapsvc
NPFMntor
Outpost Firewall
SAVScan
SBService
Symantec Core LC
ccEvtMgr
SNDSrvc
ccPwdSvc
ccSetMgr.exe
SPBBCSvc
KLBLMain
avg7alrt
avg7updsvc
vsmon
CAISafe
avpcc
fsbwsys
backweb client - 4476822
backweb client-4476822
fsdfwd
F-Secure Gatekeeper Handler Starter
FSMA
KAVMonitorService
navapsvc
NProtectService
Norton Antivirus Server
VexiraAntivirus
dvpinit
dvpapi
schscnt
BackWeb Client - 7681197
F-Secure Gatekeeper Handler Starter
FSMA
AVPCC
KAVMonitorService
Norman NJeeves
NVCScheduler
nvcoas
Norman ZANDA
PASSRV
SweepNet
SWEEPSRV.SYS
NOD32ControlCenter
NOD32Service
PCCPFW
Tmntsrv
AvxIni
XCOMM
ravmon8
SmcService
BlackICE
PersFW
McAfee Firewall
OutpostFirewall
NWService
alerter
sharedaccess
NISUM
NISSERV
vsmon
nwclnth
nwclntg
nwclnte
nwclntf
nwclntd
nwclntc
wuauserv
navapsvc
Symantec Core LC
SAVScan
kavsvc
DefWatch
Symantec AntiVirus Client
NSCTOP
Symantec Core LC
SAVScan
SAVFMSE
ccEvtMgr
navapsvc
ccSetMgr
VisNetic AntiVirus Plug-in
McShield
AlertManger
McAfeeFramework
AVExch32Service
AVUPDService
McTaskManager
Network Associates Log Service
Outbreak Manager
MCVSRte
mcupdmgr.exe
AvgServ
AvgCore
AvgFsh
awhost32
Ahnlab task Scheduler
MonSvcNT
V3MonNT
V3MonSvc
FSDFWD
Then the trojan starts a thread that kills keys or values of the
following Registry keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client
HKLM\SOFTWARE\Symantec
HKLM\SOFTWARE\McAfee
HKLM\SOFTWARE\KasperskyLab
HKLM\SOFTWARE\Agnitum
HKLM\SOFTWARE\Panda Software
HKLM\SOFTWARE\Zone Labs
After that the worm starts a thread that scans all hard drives
and deletes file with the following name:
mysuperprog.exe
Additionally this thread renames files belonging to security and
anti-virus software. The following files get renamed:
CCSETMGR.EXE
CCEVTMGR.EXE
NAVAPSVC.EXE
NPFMNTOR.EXE
symlcsvc.exe
SPBBCSvc.exe
SNDSrvc.exe
ccApp.exe
ccl30.dll
ccvrtrst.dll
LUALL.EXE
AUPDATE.EXE
Luupdate.exe
LUINSDLL.DLL
RuLaunch.exe
CMGrdian.exe
Mcshield.exe
outpost.exe
Avconsol.exe
Vshwin32.exe
VsStat.exe
Avsynmgr.exe
kavmm.exe
Up2Date.exe
KAV.exe
avgcc.exe
avgemc.exe
zonealarm.exe
zatutor.exe
zlavscan.dll
zlclient.exe
isafe.exe
cafix.exe
vsvault.dll
av.dll
vetredir.dll
The files mentioned above are renamed with those names:
C1CSETMGR.EXE
CC1EVTMGR.EXE
NAV1APSVC.EXE
NPFM1NTOR.EXE
s1ymlcsvc.exe
SP1BBCSvc.exe
SND1Srvc.exe
ccA1pp.exe
cc1l30.dll
ccv1rtrst.dll
LUAL1L.EXE
AUPD1ATE.EXE
Luup1date.exe
LUI1NSDLL.DLL
RuLa1unch.exe
CM1Grdian.exe
Mcsh1ield.exe
outp1ost.exe
Avc1onsol.exe
Vshw1in32.exe
Vs1Stat.exe
Av1synmgr.exe
kav12mm.exe
Up222Date.exe
K2A2V.exe
avgc3c.exe
avg23emc.exe
zonealarm.exe
zatutor.exe
zlavscan.dll
zo3nealarm.exe
zatu6tor.exe
zl5avscan.dll
zlcli6ent.exe
is5a6fe.exe
c6a5fix.exe
vs6va5ult.dll
a5v.dll
ve6tre5dir.dll
So all the affected software keeps working until next system
restart. After restart all affected software will stop working
because its files were renamed by the trojan.
After this the trojan terminates services with the following
names:
SharedAccess
wscsvc
The next step that the trojan does is to create a thread that
kills processes with the following names:
AVXQUAR.EXE
ESCANHNT.EXE
UPGRADER.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
Finally the trojan tries to download a file from several
webservers. The file is placed to Window directory as
'_re_file.exe' and is run. The trojan tries to download from the
following hardcoded locations:
http://www.amanit.ru/zo2.jpg
http://www.anthonyflanagan.com/zo2.jpg
http://www.approved1stmortgage.com/zo2.jpg
http://www.argument.h12.ru/zo2.jpg
http://www.arkebek.de/zo2.jpg
http://www.artek.org/zo2.jpg
http://www.asianfestival.nl/zo2.jpg
http://www.astergut.at/zo2.jpg
http://www.aviation-center.de/zo2.jpg
http://www.bbsh.org/zo2.jpg
http://www.besino.com/zo2.jpg
http://www.bestbuy.de/zo2.jpg
http://www.beta.mtw.ru/zo2.jpg
http://www.bga-gsm.ru/zo2.jpg
http://www.blessino.com/zo2.jpg
http://www.blueeyeinc.com/zo2.jpg
http://www.breaklight.be/zo2.jpg
http://www.brzesko.net.pl/zo2.jpg
http://www.catsystem.com.kg/zo2.jpg
http://www.cdnpartner.com.pl/zo2.jpg
http://www.ceskyhosting.cz/zo2.jpg
http://www.channeland.com/zo2.jpg
http://www.compsolutionstore.com/zo2.jpg
http://www.concept.kg/zo2.jpg
http://www.corpsite.com/zo2.jpg
http://www.couponcapital.net/zo2.jpg
http://www.DarrkSydebaby.com/zo2.jpg
http://www.dehut-westerhoven.nl/zo2.jpg
http://www.dhl.kg/zo2.jpg
http://www.dierollendedisco.de/zo2.jpg
http://www.discobaradventure.be/zo2.jpg
http://www.e-nfo.com/zo2.jpg
http://www.e-power.com.cn/zo2.jpg
http://www.ecobank.kg/zo2.jpg
http://www.elenalazar.com/zo2.jpg
http://www.epicbiz.com/zo2.jpg
http://www.europa.kg/zo2.jpg
http://www.everett.wednet.edu/zo2.jpg
http://www.externet.hu/zo2.jpg
http://www.forester.kg/zo2.jpg
http://www.fotocliparts.de/zo2.jpg
http://www.fotonw.org/zo2.jpg
http://www.freesites.com.br/zo2.jpg
http://www.funbunker.de/zo2.jpg
http://www.funworld.tv/zo2.jpg
http://www.gameser.com@share.gameser.com/zo2.jpg
http://www.gci-bln.de/zo2.jpg
http://www.gcnet.ru/zo2.jpg
http://www.giantrevenue.com/zo2.jpg
http://www.himpsi.org/zo2.jpg
http://www.i3dvr.com/zo2.jpg
http://www.ibigmart.net/zo2.jpg
http://www.idb-group.net/zo2.jpg
http://www.illusionoflife.net/zo2.jpg
http://www.infocuspromo.com/zo2.jpg
http://www.irinaswelt.de/zo2.jpg
http://www.jansenboiler.com/zo2.jpg
http://www.jasnet.pl/zo2.jpg
http://www.jcribeiro.com/zo2.jpg
http://www.jewelleryamberproducts.com/zo2.jpg
http://www.jimvann.com/zo2.jpg
http://www.jldr.ca/zo2.jpg
http://www.jordanramey.net/zo2.jpg
http://www.joy-musik-sound.de/zo2.jpg
http://www.justrepublicans.com/zo2.jpg
http://www.katel.kg/zo2.jpg
http://www.knicks.nl/zo2.jpg
http://www.koebers.pl/zo2.jpg
http://www.kogaionon.com/zo2.jpg
http://www.kplus.kg/zo2.jpg
http://www.kradtraining.de/zo2.jpg
http://www.kranenberg.de/zo2.jpg
http://www.kranenberg.de:113547@/zo2.jpg
http://www.kstrus.com.pl/zo2.jpg
http://www.ktsonline.de/zo2.jpg
http://www.lahelaino.com/zo2.jpg
http://www.lawform.com.au/zo2.jpg
http://www.leetexgroup.com/zo2.jpg
http://www.leshrak.de/zo2.jpg
http://www.leshrak.de:prophets@/zo2.jpg
http://www.logoseiten.de/zo2.jpg
http://www.magicbottle.com.tw/zo2.jpg
http://www.mcuserver.cz/zo2.jpg
http://www.mega-spass.com/zo2.jpg
http://www.mega.kg/zo2.jpg
http://www.mepbisu.de/zo2.jpg
http://www.mepmh.de/zo2.jpg
http://www.mtfdesign.com/zo2.jpg
http://www.mtransit.kg/zo2.jpg
http://www.neotech.kg/zo2.jpg
http://www.nikonfotoshare.com/zo2.jpg
http://www.novosti.kg/zo2.jpg
http://www.ok.kg/zo2.jpg
http://www.onepositiveplace.org/zo2.jpg
http://www.online.kg/zo2.jpg
http://www.orangesuburban.5u.com/zo2.jpg
http://www.otv.ch/zo2.jpg
http://www.pageantpage.com/zo2.jpg
http://www.pankration.com/zo2.jpg
http://www.para-agility.com/zo2.jpg
http://www.pdxracing.net/zo2.jpg
http://www.pfadfinder-leobersdorf.com/zo2.jpg
http://www.pipni.cz/zo2.jpg
http://www.pjwstk.edu.pl/zo2.jpg
http://www.polizeimotorrad.de/zo2.jpg
http://www.proway-consulting.com/zo2.jpg
http://www.pugetsoundyc.org/zo2.jpg
http://www.pyrlandia-boogie.pl/zo2.jpg
http://www.qphoto.co.za/zo2.jpg
http://www.raecoinc.com/zo2.jpg
http://www.realgps.com/zo2.jpg
http://www.realty.kg/zo2.jpg
http://www.redlightpictures.com/zo2.jpg
http://www.reliance-yachts.com/zo2.jpg
http://www.relocationflorida.com/zo2.jpg
http://www.rentalstation.com/zo2.jpg
http://www.rieraquadros.com.br/zo2.jpg
http://www.roaming.kg/zo2.jpg
http://www.sacohalle.be/zo2.jpg
http://www.scanex-medical.fi/zo2.jpg
http://www.scoping4success.com/zo2.jpg
http://www.sert.ru/zo2.jpg
http://www.sigi.lu/zo2.jpg
http://www.spadochron.pl/zo2.jpg
http://www.ssc.kg/zo2.jpg
http://www.ssmifc.ca/zo2.jpg
http://www.stadtmeyers.de/zo2.jpg
http://www.stadtmeyers.de:R2D2c3po@/zo2.jpg
http://www.sterlingirb.com/zo2.jpg
http://www.sunassetholdings.com/zo2.jpg
http://www.szantomierz.art.pl/zo2.jpg
http://www.szosa.pl/zo2.jpg
http://www.tambourenvereine.ch/zo2.jpg
http://www.tarnow.opoka.org.pl/zo2.jpg
http://www.tc-muraene.com/zo2.jpg
http://www.tc-muraene.com:hunter@/zo2.jpg
http://www.theroyalregistry.com/zo2.jpg
http://www.transportation.gov.bh/zo2.jpg
http://www.tumar.kg/zo2.jpg
http://www.tunguska.hu/zo2.jpg
http://www.turkeyhomes.com/zo2.jpg
http://www.turkeyhomes.com@/zo2.jpg
http://www.ulpiano.org/zo2.jpg
http://www.unicity.pl/zo2.jpg
http://www.vbw.info/zo2.jpg
http://www.velezcourtesymanagement.com/zo2.jpg
http://www.vorrix.com/zo2.jpg
http://www.webpark.pl/zo2.jpg
http://www.wecompete.com/zo2.jpg
http://www.wp.pl/zo2.jpg
http://www.wwwebad.com/zo2.jpg
http://www.xpager321.wz.cz/zo2.jpg
http://www.yamdiamonds.com/zo2.jpg
http://www.zander-yachting.com/zo2.jpg
We are monitoring these locations in order to catch malware that
the trojan's author is going to put there.
F-Secure Anti-Virus detects this malware starting from the
following update:
[FSAV_Database_Version]
Version=2005-03-01_01
Technical Details:
M. Hypponen, T. Chaliavski and A. Podrezov, February 28th - March 1st, 2005;
Description Updated:
Alexey Podrezov, March 3rd, 2005;
F-Secure Corporation
|
