W32/Bagle.ci

Content

W32/Bagle.ci

Type: Virus
SubType: Downloader
Discovery Date: 09/19/2005
Length: 17Kb Zip file
Minimum DAT: 4584 (09/19/2005)
Updated DAT: 5301 (05/22/2008)
Minimum Engine: 5.1.00
Description Added: 09/19/2005
Description Modified: 09/19/2005 2:18 PM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

This Bagle variant has been mass spammed and arrives in a ZIP file. It is heuristically detected as 'Virus or variant New Poly Win32' by 4424 DATS and above.

This variant copies itself to the %WinDir% \system32 as WINSHOST.EXE and adds the following registry hooks:

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
      DownloadManager
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe
    * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe

It drops a file wiwshost.exe which is detected by 4424 DATs and above as W32/Bagle.gen@MM . This file gets injected into the EXPLORER process and tries to download a file osa6.gif from various sites. (Refer to Symptoms). It also terminates security services like its predecessors and in some cases renames the main security program executable.

Sets to "disable" the following services:

    * HKLM\System\CurrentControlSet\Services\wuauserv
    * HKLM\System\CurrentControlSet\Services\SharedAccess
    * HKLM\System\CurrentControlSet\Services\vsmon
    * HKLM\System\CurrentControlSet\Services\Alerter
    * HKLM\System\CurrentControlSet\Services\wuauserv
    * HKLM\System\CurrentControlSet\Services\McShield
    * HKLM\System\CurrentControlSet\Services\McAfeeFramework
    * HKLM\System\CurrentControlSet\Services\McTaskManager

Attempts to delete the following keys:

    * HKLM\SOFTWARE\Symantec
    * HKLM\SOFTWARE\McAfee
    * HKLM\SOFTWARE\KasperskyLab
    * HKLM\SOFTWARE\Agnitum
    * HKLM\SOFTWARE\Panda Software
    * HKLM\SOFTWARE\Zone Labs

    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      Symantec NetDriver Monitor
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      ccApp
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      NAV CfgWiz
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      SSC_UserPrompt
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      McAfee Guardian
    * HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      McAfee.InstantUpdate.Monitor
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      APVXDWIN
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      KAV50
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      avg7_cc
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      avg7_emc
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client

It also modifies the file %WinDir% \system32\drivers\etc\hosts to prevent the user and any running software from contacting certain security websites. The trojanized hosts file is detected as "trojan QHosts" since DAT version 4354.

Symptoms

Services with the following names are stopped:

wuauserv
PAVSRV
PAVFNSVR
PSIMSVC
Pavkre
avProt
PREVSRV
PavPrSrv
SharedAccess
navapsvc
NPFMntor
Outpost Firewall
SAVScan
SBService
Symantec Core LC
ccEvtMgr
SNDSrvc
ccPwdSvc
ccSetMgr.exe
SPBBCSvc
KLBLMain
avg7alrt
avg7updsvc
vsmon
CAISafe
avpcc
fsbwsys
backweb client - 4476822
backweb client-4476822
fsdfwd
F-Secure Gatekeeper Handler Starter
FSMA
KAVMonitorService
navapsvc
NProtectService
Norton Antivirus Server
VexiraAntivirus
dvpinit
dvpapi
schscnt
BackWeb Client - 7681197
F-Secure Gatekeeper Handler Starter
FSMA
AVPCC
KAVMonitorService
Norman NJeeves
NVCScheduler
nvcoas
Norman ZANDA
PASSRV
SweepNet
SWEEPSRV.SYS
NOD32ControlCenter
NOD32Service
PCCPFW
Tmntsrv
AvxIni
XCOMM
ravmon8
SmcService
BlackICE
PersFW
McAfee Firewall
OutpostFirewall
NWService
alerter
sharedaccess
NISUM
NISSERV
vsmon
nwclnth
nwclntg
nwclnte
nwclntf
nwclntd
nwclntc
wuauserv
navapsvc
Symantec Core LC
SAVScan
kavsvc
DefWatch
Symantec AntiVirus Client
NSCTOP
Symantec Core LC
SAVScan
SAVFMSE
ccEvtMgr
navapsvc
ccSetMgr
VisNetic AntiVirus Plug-in
McShield
AlertManger
McAfeeFramework
AVExch32Service
AVUPDService
McTaskManager
Network Associates Log Service
Outbreak Manager
MCVSRte
mcupdmgr.exe
AvgServ
AvgCore
AvgFsh
awhost32
Ahnlab task Scheduler
MonSvcNT
V3MonNT
V3MonSvc
FSDFWD

This variant attempts to rename the following files:

mysuperprog.exe
CCSETMGR.EXE
CCEVTMGR.EXE
NAVAPSVC.EXE
NPFMNTOR.EXE
symlcsvc.exe
SPBBCSvc.exe
SNDSrvc.exe
ccApp.exe
ccl30.dll
ccvrtrst.dll
LUALL.EXE
AUPDATE.EXE
Luupdate.exe
LUINSDLL.DLL
RuLaunch.exe
CMGrdian.exe
Mcshield.exe
outpost.exe
Avconsol.exe
Vshwin32.exe
VsStat.exe
Avsynmgr.exe
kavmm.exe
Up2Date.exe
KAV.exe
avgcc.exe
avgemc.exe
zonealarm.exe
zatutor.exe
zlavscan.dll
zlclient.exe
isafe.exe
cafix.exe
vsvault.dll
av.dll
vetredir.dll
C1CSETMGR.EXE
CC1EVTMGR.EXE
NAV1APSVC.EXE
NPFM1NTOR.EXE
s1ymlcsvc.exe
SP1BBCSvc.exe
SND1Srvc.exe
ccA1pp.exe
cc1l30.dll
ccv1rtrst.dll
LUAL1L.EXE
AUPD1ATE.EXE
Luup1date.exe
LUI1NSDLL.DLL
RuLa1unch.exe
CM1Grdian.exe
Mcsh1ield.exe
outp1ost.exe
Avc1onsol.exe
Vshw1in32.exe
Vs1Stat.exe
Av1synmgr.exe
kav12mm.exe
Up222Date.exe
2A2V.exe
avgc3c.exe
avg23emc.exe
zonealarm.exe
zatutor.exe
zlavscan.dll
zo3nealarm.exe
zatu6tor.exe
zl5avscan.dll
zlcli6ent.exe
is5a6fe.exe
c6a5fix.exe
vs6va5ult.dll
a5v.dll
ve6tre5dir.dll

It also tries to kill the following processes:

NUPGRADE.EXE
MCUPDATE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
UPGRADER.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE

Outgoing TCP connections to port 80 (HTTP) are established, and it tries to download a file from the following list (Note: Many Bagle variants attempt to download files from a very large list of sites; in fact most of the sites listed are actually believed to be decoys and were never found to be hosting anything malicious):

http://www.yannick-spruyt.be

http://www.yesterdays.co.za

http://www.yshkj.com

http://www.zakazcd.dp.ua

http://www.students.stir.ac.uk

http://www.zenesoftware.com

http://www.zentek.co.za

http://www.czzm.com

http://www.izoli.sk

http://www.zorbas.az

http://www.zsbersala.edu.sk

http://www.triapex.cz

http://www.triptonic.ch

http://www.tv-marina.com

http://www.trago.com.pt

http://www.travelourway.com

http://www.megaserve.net

http://www.trgd.dobrcz.pl

http://www.mild.at

http://www.kingsley.ch

http://www.mild.at

http://www.elvis-presley.ch

http://www.gomyhome.com.tw

http://www.ider.cl

http://www.ascolfibras.com

http://www.on24.ee

http://www.xojc.com

http://www.x-treme.cz

http://www.gymzn.cz

http://www.xiantong.net

http://www.xmpie.com

http://www.xmtd.com

http://www.onlink.net

http://www.discoteka-funfactory.com

http://www.toussain.be

http://www.idcs.be

http://www.gepeters.org

http://www.angham.de

http://www.idaf.de

http://www.bolz.at

http://www.societaet.de

http://www.ppm-alliance.de

http://www.udc-cassinadepecchi.it

http://www.universe.sk

http://www.jingjuok.com

http://www.gemtrox.com.tw

http://www.uspowerchair.com

http://www.steripharm.com

http://www.beall-cpa.com

http://www.jcm-american.com

http://www.vercruyssenelektro.be

http://www.centrovestecasa.it

http://www.vet24h.com

http://www.vinimeloni.com

http://www.vnrvjiet.ac.in

http://www.vote2fateh.com

http://www.marketvw.com

http://www.formholz.at

http://www.checkonemedia.nl

http://www.fotomax.fi

http://www.vw.press-bank.pl

http://www.wamba.asn.au

http://www.cz-wanjia.com

http://www.czwanqing.com

http://www.wdlp.co.za

http://www.automobilonline.de

http://www.bangyan.cn

http://www.21ebuild.com

http://www.eagle.com.cn

http://www.eagleclub.com.cn

http://www.sanjinyuan.com

http://www.designgong.org

http://www.fermegaroy.com

http://www.welchcorp.com

http://www.snsphoto.com

http://www.soeco.org

http://www.softmajor.ru

http://www.solt3.org

http://www.sqnsolutions.com

http://www.spacium.biz

http://www.speedcom.home.pl

http://www.spirit-in-steel.at

http://www.spy.az

http://www.st-paulus-bonn.dehtdocs

http://www.stbs.com.hk

http://www.acsohio.com

http://www.olva.com.pe

http://www.subsplanet.com

http://www.sungodbio.com

http://www.superbetcs.com

http://www.vnn.vn

http://www.sydolo.com

http://www.szdiheng.com

http://www.agria.hu

http://www.externet.hu

http://www.hondenservice.be

http://www.ehc.hu

http://www.tcicampus.net

http://www.contentproject.com

http://www.festivalteatrooccidente.com

http://www.techni.com.cn

http://www.festivalteatrooccidente.com

http://www.thaifast.com

http://www.thaiventure.com

http://www.andi.com.vn

http://www.replayu.com

http://www.th-mutan.com

http://www.thetexasoutfitter.com

http://www.tmhcsd1987.friko.pl

http://www.thenextstep.tv

http://www.wesartproductions.com

http://www.wilsonscountry.com

http://www.windstar.pl

http://www.wise-industries.com

http://www.witold.pl

http://www.51.net

http://www.slovanet.sk

http://www.wombband.com

http://www.datanet.huwww.datanet.hu

http://www.uw.hu

http://www.dgy.com.cn

http://www.bs-security.de

http://www.die-fliesen.de

http://www.dom-invest.com.pl

http://www.engelhardtgmbh.de

http://www.fahrschule-herb.de

http://www.fahrschule-lesser.de

http://www.gimex-messzeuge.de

http://www.inside-tgweb.de

http://www.jue-bo.com

http://www.niko.de

http://www.nikogmbh.com

http://www.renegaderc.com

http://www.sachsenbuecher.de

http://www.scvanravenswaaij.nl

http://www.spoden.de

http://www.sportnf.com

http://www.sweb.cz

http://www.tg-sandhausen-basketball.de

http://www.thefunkiest.com

http://www.jeoushinn.com

http://www.presley.ch

Method of Infection

This variant has been mass-spammed.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This Bagle variant has been mass spammed and arrives in a ZIP file. It is heuristically detected as 'Virus or variant New Poly Win32' by 4424 DATS and above.

This variant copies itself to the %WinDir% \system32 as WINSHOST.EXE and adds the following registry hooks:

Sets to "disable" the following services:

Attempts to delete the following keys:

    * HKLM\SOFTWARE\Symantec
    * HKLM\SOFTWARE\McAfee
    * HKLM\SOFTWARE\KasperskyLab
    * HKLM\SOFTWARE\Agnitum
    * HKLM\SOFTWARE\Panda Software
    * HKLM\SOFTWARE\Zone Labs

Symptoms

Symptoms -

Services with the following names are stopped:

wuauserv
PAVSRV
PAVFNSVR
PSIMSVC
Pavkre
avProt
PREVSRV
PavPrSrv
SharedAccess
navapsvc
NPFMntor
Outpost Firewall
SAVScan
SBService
Symantec Core LC
ccEvtMgr
SNDSrvc
ccPwdSvc
ccSetMgr.exe
SPBBCSvc
KLBLMain
avg7alrt
avg7updsvc
vsmon
CAISafe
avpcc
fsbwsys
backweb client - 4476822
backweb client-4476822
fsdfwd
F-Secure Gatekeeper Handler Starter
FSMA
KAVMonitorService
navapsvc
NProtectService
Norton Antivirus Server
VexiraAntivirus
dvpinit
dvpapi
schscnt
BackWeb Client - 7681197
F-Secure Gatekeeper Handler Starter
FSMA
AVPCC
KAVMonitorService
Norman NJeeves
NVCScheduler
nvcoas
Norman ZANDA
PASSRV
SweepNet
SWEEPSRV.SYS
NOD32ControlCenter
NOD32Service
PCCPFW
Tmntsrv
AvxIni
XCOMM
ravmon8
SmcService
BlackICE
PersFW
McAfee Firewall
OutpostFirewall
NWService
alerter
sharedaccess
NISUM
NISSERV
vsmon
nwclnth
nwclntg
nwclnte
nwclntf
nwclntd
nwclntc
wuauserv
navapsvc
Symantec Core LC
SAVScan
kavsvc
DefWatch
Symantec AntiVirus Client
NSCTOP
Symantec Core LC
SAVScan
SAVFMSE
ccEvtMgr
navapsvc
ccSetMgr
VisNetic AntiVirus Plug-in
McShield
AlertManger
McAfeeFramework
AVExch32Service
AVUPDService
McTaskManager
Network Associates Log Service
Outbreak Manager
MCVSRte
mcupdmgr.exe
AvgServ
AvgCore
AvgFsh
awhost32
Ahnlab task Scheduler
MonSvcNT
V3MonNT
V3MonSvc
FSDFWD

This variant attempts to rename the following files:

mysuperprog.exe
CCSETMGR.EXE
CCEVTMGR.EXE
NAVAPSVC.EXE
NPFMNTOR.EXE
symlcsvc.exe
SPBBCSvc.exe
SNDSrvc.exe
ccApp.exe
ccl30.dll
ccvrtrst.dll
LUALL.EXE
AUPDATE.EXE
Luupdate.exe
LUINSDLL.DLL
RuLaunch.exe
CMGrdian.exe
Mcshield.exe
outpost.exe
Avconsol.exe
Vshwin32.exe
VsStat.exe
Avsynmgr.exe
kavmm.exe
Up2Date.exe
KAV.exe
avgcc.exe
avgemc.exe
zonealarm.exe
zatutor.exe
zlavscan.dll
zlclient.exe
isafe.exe
cafix.exe
vsvault.dll
av.dll
vetredir.dll
C1CSETMGR.EXE
CC1EVTMGR.EXE
NAV1APSVC.EXE
NPFM1NTOR.EXE
s1ymlcsvc.exe
SP1BBCSvc.exe
SND1Srvc.exe
ccA1pp.exe
cc1l30.dll
ccv1rtrst.dll
LUAL1L.EXE
AUPD1ATE.EXE
Luup1date.exe
LUI1NSDLL.DLL
RuLa1unch.exe
CM1Grdian.exe
Mcsh1ield.exe
outp1ost.exe
Avc1onsol.exe
Vshw1in32.exe
Vs1Stat.exe
Av1synmgr.exe
kav12mm.exe
Up222Date.exe
2A2V.exe
avgc3c.exe
avg23emc.exe
zonealarm.exe
zatutor.exe
zlavscan.dll
zo3nealarm.exe
zatu6tor.exe
zl5avscan.dll
zlcli6ent.exe
is5a6fe.exe
c6a5fix.exe
vs6va5ult.dll
a5v.dll
ve6tre5dir.dll

It also tries to kill the following processes:

NUPGRADE.EXE
MCUPDATE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
UPGRADER.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE

http://www.yannick-spruyt.be

http://www.yesterdays.co.za

http://www.yshkj.com

http://www.zakazcd.dp.ua

http://www.students.stir.ac.uk

http://www.zenesoftware.com

http://www.zentek.co.za

http://www.czzm.com

http://www.izoli.sk

http://www.zorbas.az

http://www.zsbersala.edu.sk

http://www.triapex.cz

http://www.triptonic.ch

http://www.tv-marina.com

http://www.trago.com.pt

http://www.travelourway.com

http://www.megaserve.net

http://www.trgd.dobrcz.pl

http://www.mild.at

http://www.kingsley.ch

http://www.mild.at

http://www.elvis-presley.ch

http://www.gomyhome.com.tw

http://www.ider.cl

http://www.ascolfibras.com

http://www.on24.ee

http://www.xojc.com

http://www.x-treme.cz

http://www.gymzn.cz

http://www.xiantong.net

http://www.xmpie.com

http://www.xmtd.com

http://www.onlink.net

http://www.discoteka-funfactory.com

http://www.toussain.be

http://www.idcs.be

http://www.gepeters.org

http://www.angham.de

http://www.idaf.de

http://www.bolz.at

http://www.societaet.de

http://www.ppm-alliance.de

http://www.udc-cassinadepecchi.it

http://www.universe.sk

http://www.jingjuok.com

http://www.gemtrox.com.tw

http://www.uspowerchair.com

http://www.steripharm.com

http://www.beall-cpa.com

http://www.jcm-american.com

http://www.vercruyssenelektro.be

http://www.centrovestecasa.it

http://www.vet24h.com

http://www.vinimeloni.com

http://www.vnrvjiet.ac.in

http://www.vote2fateh.com

http://www.marketvw.com

http://www.formholz.at

http://www.checkonemedia.nl

http://www.fotomax.fi

http://www.vw.press-bank.pl

http://www.wamba.asn.au

http://www.cz-wanjia.com

http://www.czwanqing.com

http://www.wdlp.co.za

http://www.automobilonline.de

http://www.bangyan.cn

http://www.21ebuild.com

http://www.eagle.com.cn

http://www.eagleclub.com.cn

http://www.sanjinyuan.com

http://www.designgong.org

http://www.fermegaroy.com

http://www.welchcorp.com

http://www.snsphoto.com

http://www.soeco.org

http://www.softmajor.ru

http://www.solt3.org

http://www.sqnsolutions.com

http://www.spacium.biz

http://www.speedcom.home.pl

http://www.spirit-in-steel.at

http://www.spy.az

http://www.st-paulus-bonn.dehtdocs

http://www.stbs.com.hk

http://www.acsohio.com

http://www.olva.com.pe

http://www.subsplanet.com

http://www.sungodbio.com

http://www.superbetcs.com

http://www.vnn.vn

http://www.sydolo.com

http://www.szdiheng.com

http://www.agria.hu

http://www.externet.hu

http://www.hondenservice.be

http://www.ehc.hu

http://www.tcicampus.net

http://www.contentproject.com

http://www.festivalteatrooccidente.com

http://www.techni.com.cn

http://www.festivalteatrooccidente.com

http://www.thaifast.com

http://www.thaiventure.com

http://www.andi.com.vn

http://www.replayu.com

http://www.th-mutan.com

http://www.thetexasoutfitter.com

http://www.tmhcsd1987.friko.pl

http://www.thenextstep.tv

http://www.wesartproductions.com

http://www.wilsonscountry.com

http://www.windstar.pl

http://www.wise-industries.com

http://www.witold.pl

http://www.51.net

http://www.slovanet.sk

http://www.wombband.com

http://www.datanet.huwww.datanet.hu

http://www.uw.hu

http://www.dgy.com.cn

http://www.bs-security.de

http://www.die-fliesen.de

http://www.dom-invest.com.pl

http://www.engelhardtgmbh.de

http://www.fahrschule-herb.de

http://www.fahrschule-lesser.de

http://www.gimex-messzeuge.de

http://www.inside-tgweb.de

http://www.jue-bo.com

http://www.niko.de

http://www.nikogmbh.com

http://www.renegaderc.com

http://www.sachsenbuecher.de

http://www.scvanravenswaaij.nl

http://www.spoden.de

http://www.sportnf.com

http://www.sweb.cz

http://www.tg-sandhausen-basketball.de

http://www.thefunkiest.com

http://www.jeoushinn.com

http://www.presley.ch

Method of Infection

Method of Infection -

This variant has been mass-spammed.

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Content

W32/Bagle.ci

Type

SubType

Discovery Date

Length

Minimum DAT

Updated DAT

Minimum Engine

Description Added

Description Modified

Risk Assessment

Tab Navigation

Overview

Characteristics

Symptoms

Method of Infection

Removal

Variants

Variants

All Information

Overview -

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Threat Resources

Footer