Content
W32/Bagle.bc@MM
- Type
- Virus
- SubType
- -
- Discovery Date
- 10/29/2004
- Length
- 17412 bytes
- Minimum DAT
- 4403 (10/29/2004)
- Updated DAT
- 4626 (11/11/2005)
- Minimum Engine
- 5.1.00
- Description Added
- 10/29/2004
- Description Modified
- 10/29/2004 7:21 AM (PT)
Tab Navigation
Characteristics
This is a detection for a new Bagle variant.
In initial test shown, that this new varaint did not spread by mail.But it tries to connect to several webservers and tries to download and execute a file.
Installation
The virus copies itself into the Windows System directory as WinXP.exe. For example:
- C:\WINNT\SYSTEM32\bawindo.exe
It also creates other files in this directory to perform its functions:
- %SysDir% \bawindo.exeopen
- %SysDir% \bawindo.exeopenopen
The following Registry key is added to hook system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "bawindo" = %SysDir% \bawindo.exe
A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
- 'D'r'o'p'p'e'd'S'k'y'N'e't'
- _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
- [SkyNet.cz]SystemsMutex
- AdmSkynetJklS003
- ____--->>>>U<<<<---____
- _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Process termination:
It tries to stop processes with the following filenames:
- mcagent.exe
- mcvsshld.exe
- mcshield.exe
- mcvsescn.exe
- mcvsrte.exe
- DefWatch.exe
- Rtvscan.exe
- ccEvtMgr.exe
- NISUM.EXE
- ccPxySvc.exe
- navapsvc.exe
- NPROTECT.EXE
- nopdb.exe
- ccApp.exe
- Avsynmgr.exe
- VsStat.exe
- Vshwin32.exe
- alogserv.exe
- RuLaunch.exe
- Avconsol.exe
- PavFires.exe
- FIREWALL.EXE
- ATUPDATER.EXE
- LUALL.EXE
- DRWEBUPW.EXE
- AUTODOWN.EXE
- NUPGRADE.EXE
- OUTPOST.EXE
- ICSSUPPNT.EXE
- ICSUPP95.EXE
- ESCANH95.EXE
- AVXQUAR.EXE
- ESCANHNT.EXE
- ATUPDATER.EXE
- AUPDATE.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- AVXQUAR.EXE
- AVWUPD32.EXE
- AVPUPD.EXE
- CFIAUDIT.EXE
- UPDATE.EXE
- NUPGRADE.EXE
- MCUPDATE.EXE
- pavsrv50.exe
- AVENGINE.EXE
- APVXDWIN.EXE
- pavProxy.exe
- navapw32.exe
- navapsvc.exe
- ccProxy.exe
- navapsvc.exe
- NPROTECT.EXE
- SAVScan.exe
- SNDSrvc.exe
- symlcsvc.exe
- LUCOMS~1.EXE
- blackd.exe
- FrameworkService.exe
- VsTskMgr.exe
- SHSTAT.EXE
- UpdaterUI.exe
It attemps to download a file for the following URLs:
- http://www.bottombouncer.com/[..].jpg
- http://www.bottombouncer.com/[..].jpg
- http://www.anthonyflanagan.com/[..].jpg
- http://www.bradster.com/[..].jpg
- http://www.traverse.com/[..].jpg
- http://www.ims-i.com/[..].jpg
- http://www.realgps.com/[..].jpg
- http://www.aviation-center.de/[..].jpg
- http://www.gci-bln.de/[..].jpg
- http://www.pankration.com/[..].jpg
- http://www.jansenboiler.com/[..].jpg
- http://www.corpsite.com/[..].jpg
- http://www.everett.wednet.edu/[..].jpg
- http://www.onepositiveplace.org/[..].jpg
- http://www.raecoinc.com/[..].jpg
- http://www.wwwebad.com/[..].jpg
- http://www.corpsite.com/[..].jpg
- http://www.wwwebmaster.com/[..].jpg
- http://www.wwwebad.com/[..].jpg
- http://www.dragcar.com/[..].jpg
- http://www.wwwebad.com/[..].jpg
- http://www.oohlala-kirkland.com/[..].jpg
- http://www.calderwoodinn.com/[..].jpg
- http://www.buddyboymusic.com/[..].jpg
- http://www.smacgreetings.com/[..].jpg
- http://www.tkd2xcell.com/[..].jpg
- http://www.curtmarsh.com/[..].jpg
- http://www.dontbeaweekendparent.com/[..].jpg
- http://www.soloconsulting.com/[..].jpg
- http://www.lasermach.com/[..].jpg
- http://www.generationnow.net/[..].jpg
- http://www.flashcorp.com/[..].jpg
- http://www.kencorbett.com/[..].jpg
- http://www.FritoPie.NET/[..].jpg
- http://www.leonhendrix.com/[..].jpg
- http://www.transportation.gov.bh/[..].jpg
- http://www.transportation.gov.bh/[..].jpg
- http://www.jhaforpresident.7p.com/[..].jpg
- http://www.DarrkSydebaby.com/[..].jpg
- http://www.cntv.info/[..].jpg
- http://www.sugardas.lt/[..].jpg
- http://www.adhdtests.com/[..].jpg
- http://www.argontech.net/[..].jpg
- http://www.customloyal.com/[..].jpg
- http://www.ohiolimo.com/[..].jpg
- http://www.topko.sk/[..].jpg
- http://www.alupass.lu/[..].jpg
- http://www.sigi.lu/[..].jpg
- http://www.redlightpictures.com/[..].jpg
- http://www.irinaswelt.de/[..].jpg
- http://www.bueroservice-it.de/[..].jpg
- http://www.kranenberg.de/[..].jpg
- http://www.kranenberg.de/[..].jpg
- http://www.the-fabulous-lions.de/[..].jpg
- http://www.the-fabulous-lions.de/[..].jpg
- http://www.mongolische-renner.de/[..].jpg
- http://www.mongolische-renner.de/[..].jpg
- http://www.capri-frames.de/[..].jpg
- http://www.capri-frames.de/[..].jpg
- http://www.aimcenter.net/[..].jpg
- http://www.boneheadmusic.com/[..].jpg
- http://www.fludir.is/[..].jpg
- http://www.sljinc.com/[..].jpg
- http://www.tivogoddess.com/[..].jpg
- http://www.fcpages.com/[..].jpg
- http://www.andara.com/[..].jpg
- http://www.freeservers.com/[..].jpg
- http://www.programmierung2000.de/[..].jpg
- http://www.asianfestival.nl/[..].jpg
- http://www.aviation-center.de/[..].jpg
- http://www.gci-bln.de/[..].jpg
- http://www.mass-i.kiev.ua/[..].jpg
- http://www.jasnet.pl/[..].jpg
- http://www.atlantisteste.hpg.com.br/[..].jpg
- http://www.fludir.is/[..].jpg
- http://www.rieraquadros.com.br/[..].jpg
- http://www.metal.pl/[..].jpg
- http://www.handsforhealth.com/[..].jpg
- http://www.angelartsanctuary.com/[..].jpg
- http://www.firstnightoceancounty.org/[..].jpg
- http://www.chinasenfa.com/[..].jpg
- http://www.chinasenfa.com/[..].jpg
- http://www.ulpiano.org/[..].jpg
- http://www.gamp.pl/[..].jpg
- http://www.vikingpc.pl/[..].jpg
- http://www.woundedshepherds.com/[..].jpg
- http://www.cpc.adv.br/[..].jpg
- http://www.velocityprint.com/[..].jpg
- http://www.esperanzaparalafamilia.com/[..].jpg
- http://www.celula.com.mx/[..].jpg
- http://www.mexis.com/[..].jpg
- http://www.wecompete.com/[..].jpg
- http://www.vbw.info/[..].jpg
- http://www.gfn.org/[..].jpg
- http://www.aegee.org/[..].jpg
- http://www.deadrobot.com/[..].jpg
- http://www.cscliberec.cz/[..].jpg
- http://www.ecofotos.com.br/[..].jpg
- http://www.amanit.ru/[..].jpg
- http://www.bga-gsm.ru/[..].jpg
- http://www.innnewport.com/[..].jpg
- http://www.knicks.nl/[..].jpg
- http://www.srg-neuburg.de/[..].jpg
- http://www.mepmh.de/[..].jpg
- http://www.mepbisu.de/[..].jpg
- http://www.kradtraining.de/[..].jpg
- http://www.polizeimotorrad.de/[..].jpg
- http://www.sea.bz.it/[..].jpg
- http://www.uslungiarue.it/[..].jpg
- http://www.gcnet.ru/[..].jpg
- http://www.aimcenter.net/[..].jpg
- http://www.vandermost.de/[..].jpg
- http://www.vandermost.de/[..].jpg
- http://www.szantomierz.art.pl/[..].jpg
- http://www.immonaut.sk/[..].jpg
- http://www.eurostavba.sk/[..].jpg
- http://www.spadochron.pl/[..].jpg
- http://www.pyrlandia-boogie.pl/[..].jpg
- http://www.kps4parents.com/[..].jpg
- http://www.pipni.cz/[..].jpg
- http://www.selu.edu/[..].jpg
- http://www.travelchronic.de/[..].jpg
- http://www.fleigutaetscher.ch/[..].jpg
- http://www.irakli.org/[..].jpg
- http://www.oboe-online.com/[..].jpg
- http://www.oboe-online.com/[..].jpg
- http://www.pe-sh.com/[..].jpg
- http://www.idb-group.net/[..].jpg
- http://www.ceskyhosting.cz/[..].jpg
- http://www.ceskyhosting.cz/[..].jpg
- http://www.hartacorporation.com/[..].jpg
- http://www.glass.la/[..].jpg
- http://www.glass.la/[..].jpg
- http://www.24-7-transportation.com/[..].jpg
- http://www.fepese.ufsc.br/[..].jpg
- http://www.ellarouge.com.au/[..].jpg
- http://www.bbsh.org/[..].jpg
- http://www.boneheadmusic.com/[..].jpg
- http://www.sljinc.com/[..].jpg
- http://www.tivogoddess.com/[..].jpg
- http://www.fcpages.com/[..].jpg
- http://www.szantomierz.art.pl/[..].jpg
- http://www.elenalazar.com/[..].jpg
- http://www.ssmifc.ca/[..].jpg
- http://www.reliance-yachts.com/[..].jpg
- http://www.worest.com.ar/[..].jpg
- http://www.kps4parents.com/[..].jpg
- http://www.coolfreepages.com/[..].jpg
- http://www.scanex-medical.fi/[..].jpg
- http://www.jimvann.com/[..].jpg
- http://www.orari.net/[..].jpg
- http://www.himpsi.org/[..].jpg
- http://www.mtfdesign.com/[..].jpg
- http://www.jldr.ca/[..].jpg
- http://www.relocationflorida.com/[..].jpg
- http://www.rentalstation.com/[..].jpg
- http://www.approved1stmortgage.com/[..].jpg
- http://www.velezcourtesymanagement.com/[..].jpg
- http://www.sunassetholdings.com/[..].jpg
- http://www.compsolutionstore.com/[..].jpg
- http://www.uhcc.com/[..].jpg
- http://www.justrepublicans.com/[..].jpg
- http://www.pfadfinder-leobersdorf.com/[..].jpg
- http://www.featech.com/[..].jpg
- http://www.vinirforge.com/[..].jpg
- http://www.magicbottle.com.tw/[..].jpg
- http://www.giantrevenue.com/[..].jpg
- http://www.couponcapital.net/[..].jpg
- http://www.crystalrose.ca/[..].jpg
Symptoms
- Existance to processes and registry keys as mentioned above
- HTTP connections to several servers on the internet.
Method of Infection
Execution of the infected file.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
This is a detection for a new Bagle variant.
In initial test shown, that this new varaint did not spread by mail.But it tries to connect to several webservers and tries to download and execute a file.
Installation
The virus copies itself into the Windows System directory as WinXP.exe. For example:
- C:\WINNT\SYSTEM32\bawindo.exe
It also creates other files in this directory to perform its functions:
- %SysDir% \bawindo.exeopen
- %SysDir% \bawindo.exeopenopen
The following Registry key is added to hook system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "bawindo" = %SysDir% \bawindo.exe
A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
- 'D'r'o'p'p'e'd'S'k'y'N'e't'
- _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
- [SkyNet.cz]SystemsMutex
- AdmSkynetJklS003
- ____--->>>>U<<<<---____
- _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Process termination:
It tries to stop processes with the following filenames:
- mcagent.exe
- mcvsshld.exe
- mcshield.exe
- mcvsescn.exe
- mcvsrte.exe
- DefWatch.exe
- Rtvscan.exe
- ccEvtMgr.exe
- NISUM.EXE
- ccPxySvc.exe
- navapsvc.exe
- NPROTECT.EXE
- nopdb.exe
- ccApp.exe
- Avsynmgr.exe
- VsStat.exe
- Vshwin32.exe
- alogserv.exe
- RuLaunch.exe
- Avconsol.exe
- PavFires.exe
- FIREWALL.EXE
- ATUPDATER.EXE
- LUALL.EXE
- DRWEBUPW.EXE
- AUTODOWN.EXE
- NUPGRADE.EXE
- OUTPOST.EXE
- ICSSUPPNT.EXE
- ICSUPP95.EXE
- ESCANH95.EXE
- AVXQUAR.EXE
- ESCANHNT.EXE
- ATUPDATER.EXE
- AUPDATE.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- AVXQUAR.EXE
- AVWUPD32.EXE
- AVPUPD.EXE
- CFIAUDIT.EXE
- UPDATE.EXE
- NUPGRADE.EXE
- MCUPDATE.EXE
- pavsrv50.exe
- AVENGINE.EXE
- APVXDWIN.EXE
- pavProxy.exe
- navapw32.exe
- navapsvc.exe
- ccProxy.exe
- navapsvc.exe
- NPROTECT.EXE
- SAVScan.exe
- SNDSrvc.exe
- symlcsvc.exe
- LUCOMS~1.EXE
- blackd.exe
- FrameworkService.exe
- VsTskMgr.exe
- SHSTAT.EXE
- UpdaterUI.exe
It attemps to download a file for the following URLs:
- http://www.bottombouncer.com/[..].jpg
- http://www.bottombouncer.com/[..].jpg
- http://www.anthonyflanagan.com/[..].jpg
- http://www.bradster.com/[..].jpg
- http://www.traverse.com/[..].jpg
- http://www.ims-i.com/[..].jpg
- http://www.realgps.com/[..].jpg
- http://www.aviation-center.de/[..].jpg
- http://www.gci-bln.de/[..].jpg
- http://www.pankration.com/[..].jpg
- http://www.jansenboiler.com/[..].jpg
- http://www.corpsite.com/[..].jpg
- http://www.everett.wednet.edu/[..].jpg
- http://www.onepositiveplace.org/[..].jpg
- http://www.raecoinc.com/[..].jpg
- http://www.wwwebad.com/[..].jpg
- http://www.corpsite.com/[..].jpg
- http://www.wwwebmaster.com/[..].jpg
- http://www.wwwebad.com/[..].jpg
- http://www.dragcar.com/[..].jpg
- http://www.wwwebad.com/[..].jpg
- http://www.oohlala-kirkland.com/[..].jpg
- http://www.calderwoodinn.com/[..].jpg
- http://www.buddyboymusic.com/[..].jpg
- http://www.smacgreetings.com/[..].jpg
- http://www.tkd2xcell.com/[..].jpg
- http://www.curtmarsh.com/[..].jpg
- http://www.dontbeaweekendparent.com/[..].jpg
- http://www.soloconsulting.com/[..].jpg
- http://www.lasermach.com/[..].jpg
- http://www.generationnow.net/[..].jpg
- http://www.flashcorp.com/[..].jpg
- http://www.kencorbett.com/[..].jpg
- http://www.FritoPie.NET/[..].jpg
- http://www.leonhendrix.com/[..].jpg
- http://www.transportation.gov.bh/[..].jpg
- http://www.transportation.gov.bh/[..].jpg
- http://www.jhaforpresident.7p.com/[..].jpg
- http://www.DarrkSydebaby.com/[..].jpg
- http://www.cntv.info/[..].jpg
- http://www.sugardas.lt/[..].jpg
- http://www.adhdtests.com/[..].jpg
- http://www.argontech.net/[..].jpg
- http://www.customloyal.com/[..].jpg
- http://www.ohiolimo.com/[..].jpg
- http://www.topko.sk/[..].jpg
- http://www.alupass.lu/[..].jpg
- http://www.sigi.lu/[..].jpg
- http://www.redlightpictures.com/[..].jpg
- http://www.irinaswelt.de/[..].jpg
- http://www.bueroservice-it.de/[..].jpg
- http://www.kranenberg.de/[..].jpg
- http://www.kranenberg.de/[..].jpg
- http://www.the-fabulous-lions.de/[..].jpg
- http://www.the-fabulous-lions.de/[..].jpg
- http://www.mongolische-renner.de/[..].jpg
- http://www.mongolische-renner.de/[..].jpg
- http://www.capri-frames.de/[..].jpg
- http://www.capri-frames.de/[..].jpg
- http://www.aimcenter.net/[..].jpg
- http://www.boneheadmusic.com/[..].jpg
- http://www.fludir.is/[..].jpg
- http://www.sljinc.com/[..].jpg
- http://www.tivogoddess.com/[..].jpg
- http://www.fcpages.com/[..].jpg
- http://www.andara.com/[..].jpg
- http://www.freeservers.com/[..].jpg
- http://www.programmierung2000.de/[..].jpg
- http://www.asianfestival.nl/[..].jpg
- http://www.aviation-center.de/[..].jpg
- http://www.gci-bln.de/[..].jpg
- http://www.mass-i.kiev.ua/[..].jpg
- http://www.jasnet.pl/[..].jpg
- http://www.atlantisteste.hpg.com.br/[..].jpg
- http://www.fludir.is/[..].jpg
- http://www.rieraquadros.com.br/[..].jpg
- http://www.metal.pl/[..].jpg
- http://www.handsforhealth.com/[..].jpg
- http://www.angelartsanctuary.com/[..].jpg
- http://www.firstnightoceancounty.org/[..].jpg
- http://www.chinasenfa.com/[..].jpg
- http://www.chinasenfa.com/[..].jpg
- http://www.ulpiano.org/[..].jpg
- http://www.gamp.pl/[..].jpg
- http://www.vikingpc.pl/[..].jpg
- http://www.woundedshepherds.com/[..].jpg
- http://www.cpc.adv.br/[..].jpg
- http://www.velocityprint.com/[..].jpg
- http://www.esperanzaparalafamilia.com/[..].jpg
- http://www.celula.com.mx/[..].jpg
- http://www.mexis.com/[..].jpg
- http://www.wecompete.com/[..].jpg
- http://www.vbw.info/[..].jpg
- http://www.gfn.org/[..].jpg
- http://www.aegee.org/[..].jpg
- http://www.deadrobot.com/[..].jpg
- http://www.cscliberec.cz/[..].jpg
- http://www.ecofotos.com.br/[..].jpg
- http://www.amanit.ru/[..].jpg
- http://www.bga-gsm.ru/[..].jpg
- http://www.innnewport.com/[..].jpg
- http://www.knicks.nl/[..].jpg
- http://www.srg-neuburg.de/[..].jpg
- http://www.mepmh.de/[..].jpg
- http://www.mepbisu.de/[..].jpg
- http://www.kradtraining.de/[..].jpg
- http://www.polizeimotorrad.de/[..].jpg
- http://www.sea.bz.it/[..].jpg
- http://www.uslungiarue.it/[..].jpg
- http://www.gcnet.ru/[..].jpg
- http://www.aimcenter.net/[..].jpg
- http://www.vandermost.de/[..].jpg
- http://www.vandermost.de/[..].jpg
- http://www.szantomierz.art.pl/[..].jpg
- http://www.immonaut.sk/[..].jpg
- http://www.eurostavba.sk/[..].jpg
- http://www.spadochron.pl/[..].jpg
- http://www.pyrlandia-boogie.pl/[..].jpg
- http://www.kps4parents.com/[..].jpg
- http://www.pipni.cz/[..].jpg
- http://www.selu.edu/[..].jpg
- http://www.travelchronic.de/[..].jpg
- http://www.fleigutaetscher.ch/[..].jpg
- http://www.irakli.org/[..].jpg
- http://www.oboe-online.com/[..].jpg
- http://www.oboe-online.com/[..].jpg
- http://www.pe-sh.com/[..].jpg
- http://www.idb-group.net/[..].jpg
- http://www.ceskyhosting.cz/[..].jpg
- http://www.ceskyhosting.cz/[..].jpg
- http://www.hartacorporation.com/[..].jpg
- http://www.glass.la/[..].jpg
- http://www.glass.la/[..].jpg
- http://www.24-7-transportation.com/[..].jpg
- http://www.fepese.ufsc.br/[..].jpg
- http://www.ellarouge.com.au/[..].jpg
- http://www.bbsh.org/[..].jpg
- http://www.boneheadmusic.com/[..].jpg
- http://www.sljinc.com/[..].jpg
- http://www.tivogoddess.com/[..].jpg
- http://www.fcpages.com/[..].jpg
- http://www.szantomierz.art.pl/[..].jpg
- http://www.elenalazar.com/[..].jpg
- http://www.ssmifc.ca/[..].jpg
- http://www.reliance-yachts.com/[..].jpg
- http://www.worest.com.ar/[..].jpg
- http://www.kps4parents.com/[..].jpg
- http://www.coolfreepages.com/[..].jpg
- http://www.scanex-medical.fi/[..].jpg
- http://www.jimvann.com/[..].jpg
- http://www.orari.net/[..].jpg
- http://www.himpsi.org/[..].jpg
- http://www.mtfdesign.com/[..].jpg
- http://www.jldr.ca/[..].jpg
- http://www.relocationflorida.com/[..].jpg
- http://www.rentalstation.com/[..].jpg
- http://www.approved1stmortgage.com/[..].jpg
- http://www.velezcourtesymanagement.com/[..].jpg
- http://www.sunassetholdings.com/[..].jpg
- http://www.compsolutionstore.com/[..].jpg
- http://www.uhcc.com/[..].jpg
- http://www.justrepublicans.com/[..].jpg
- http://www.pfadfinder-leobersdorf.com/[..].jpg
- http://www.featech.com/[..].jpg
- http://www.vinirforge.com/[..].jpg
- http://www.magicbottle.com.tw/[..].jpg
- http://www.giantrevenue.com/[..].jpg
- http://www.couponcapital.net/[..].jpg
- http://www.crystalrose.ca/[..].jpg
Symptoms
Symptoms -
- Existance to processes and registry keys as mentioned above
- HTTP connections to several servers on the internet.
Method of Infection
Method of Infection -
Execution of the infected file.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
