Content
W32/Bagle.ck
- Type
- Virus
- SubType
- Downloader
- Discovery Date
- 09/19/2005
- Length
- 35,577 bytes
8,043 bytes - Minimum DAT
- 4585 (09/19/2005)
- Updated DAT
- 5301 (05/22/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 09/19/2005
- Description Modified
- 09/19/2005 2:23 PM (PT)
Tab Navigation
Characteristics
This Bagle variant has been mass spammed and arrives in a ZIP file. Such as:
- price.zip (containing price_09.exe)
MD5: 61c65b52028ecb6e2d6a81fa69209e77 [exe]
This variant copies itself to the %WinDir% \system32 as WINSHOST.EXE and adds the following registry hooks:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "winshost.exe" = C:\WINDOWS\System32\winshost.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "winshost.exe" = C:\WINDOWS\System32\winshost.exe - HKEY_CURRENT_USER\Software\FirstRun (infection marker)
It drops a file wiwshost.exe in the system directory. This file gets injected into the EXPLORER process and tries to download a file osa6.gif from various sites. (Refer to Symptoms). It also terminates security services like its predecessors and in some cases renames the main security program executable.
Symptoms
This variant attempts to disable the following services:
- wuauserv
- PAVSRV
- PAVFNSVR
- PSIMSVC
- Pavkre
- PavProt
- PREVSRV
- PavPrSrv
- SharedAccess
- navapsvc
- NPFMntor
- Outpost Firewall
- SAVScan
- SBService
- Symantec Core LC
- ccEvtMgr
- SNDSrvc
- ccPwdSvc
- ccSetMgr.exe
- SPBBCSvc
- KLBLMain
- avg7alrt
- avg7updsvc
- vsmon
- CAISafe
- avpcc
- fsbwsys
- backweb client - 4476822
- backweb client-4476822
- fsdfwd
- F-Secure Gatekeeper Handler Starter
- FSMA
- KAVMonitorService
- navapsvc
- NProtectService
- Norton Antivirus Server
- VexiraAntivirus
- dvpinit
- dvpapi
- schscnt
- BackWeb Client - 7681197
- F-Secure Gatekeeper Handler Starter
- FSMA
- AVPCC
- KAVMonitorService
- Norman NJeeves
- NVCScheduler
- nvcoas
- Norman ZANDA
- PASSRV
- SweepNet
- SWEEPSRV.SYS
- NOD32ControlCenter
- NOD32Service
- PCCPFW
- Tmntsrv
- AvxIni
- XCOMM
- ravmon8
- SmcService
- BlackICE
- PersFW
- McAfee Firewall
- OutpostFirewall
- NWService
- alerter
- sharedaccess
- NISUM
- NISSERV
- vsmon
- nwclnth
- nwclntg
- nwclnte
- nwclntf
- nwclntd
- nwclntc
- wuauserv
- navapsvc
- Symantec Core LC
- SAVScan
- kavsvc
- DefWatch
- Symantec AntiVirus Client
- NSCTOP
- Symantec Core LC
- SAVScan
- SAVFMSE
- ccEvtMgr
- navapsvc
- ccSetMgr
- VisNetic AntiVirus Plug-in
- McShield
- AlertManger
- McAfeeFramework
- AVExch32Service
- AVUPDService
- McTaskManager
- Network Associates Log Service
- Outbreak Manager
- MCVSRte
- mcupdmgr.exe
- AvgServ
- AvgCore
- AvgFsh
- awhost32
- Ahnlab task Scheduler
- MonSvcNT
- V3MonNT
- V3MonSvc
- FSDFWD
Attempts to delete the following keys:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,Symantec NetDriver Monitor - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,ccApp - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,NAV CfgWiz - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,SSC_UserPrompt - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,McAfee Guardian - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,McAfee.InstantUpdate.Monitor - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,APVXDWIN - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,KAV50 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,avg7_cc - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,avg7_emc - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,Zone Labs Client - HKLM\SOFTWARE\Symantec
- HKLM\SOFTWARE\McAfee
- HKLM\SOFTWARE\KasperskyLab
- HKLM\SOFTWARE\Agnitum
- HKLM\SOFTWARE\Panda Software
- HKLM\SOFTWARE\Zone Labs
It also attempts to rename the following files:
- mysuperprog.exe
- CCSETMGR.EXE
- CCEVTMGR.EXE
- NAVAPSVC.EXE
- NPFMNTOR.EXE
- symlcsvc.exe
- SPBBCSvc.exe
- SNDSrvc.exe
- ccApp.exe
- ccl30.dll
- ccvrtrst.dll
- LUALL.EXE
- AUPDATE.EXE
- Luupdate.exe
- LUINSDLL.DLL
- RuLaunch.exe
- CMGrdian.exe
- Mcshield.exe
- outpost.exe
- Avconsol.exe
- Vshwin32.exe
- VsStat.exe
- Avsynmgr.exe
- kavmm.exe
- Up2Date.exe
- KAV.exe
- avgcc.exe
- avgemc.exe
- zonealarm.exe
- zatutor.exe
- zlavscan.dll
- zlclient.exe
- isafe.exe
- cafix.exe
- vsvault.dll
- av.dll
- vetredir.dll
- C1CSETMGR.EXE
- CC1EVTMGR.EXE
- NAV1APSVC.EXE
- NPFM1NTOR.EXE
- s1ymlcsvc.exe
- SP1BBCSvc.exe
- SND1Srvc.exe
- ccA1pp.exe
- cc1l30.dll
- ccv1rtrst.dll
- LUAL1L.EXE
- AUPD1ATE.EXE
- Luup1date.exe
- LUI1NSDLL.DLL
- RuLa1unch.exe
- CM1Grdian.exe
- Mcsh1ield.exe
- outp1ost.exe
- Avc1onsol.exe
- Vshw1in32.exe
- Vs1Stat.exe
- Av1synmgr.exe
- kav12mm.exe
- Up222Date.exe
- 2A2V.exe
- avgc3c.exe
- avg23emc.exe
- zonealarm.exe
- zatutor.exe
- zlavscan.dll
- zo3nealarm.exe
- zatu6tor.exe
- zl5avscan.dll
- zlcli6ent.exe
- is5a6fe.exe
- c6a5fix.exe
- vs6va5ult.dll
- a5v.dll
- ve6tre5dir.dll
The trojan tries to kill the following processes:
- NUPGRADE.EXE
- MCUPDATE.EXE
- ATUPDATER.EXE
- AUPDATE.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- FIREWALL.EXE
- ATUPDATER.EXE
- LUALL.EXE
- DRWEBUPW.EXE
- AUTODOWN.EXE
- NUPGRADE.EXE
- OUTPOST.EXE
- ICSSUPPNT.EXE
- ICSUPP95.EXE
- ESCANH95.EXE
- AVXQUAR.EXE
- ESCANHNT.EXE
- UPGRADER.EXE
- AVXQUAR.EXE
- AVWUPD32.EXE
- AVPUPD.EXE
- CFIAUDIT.EXE
- UPDATE.EXE
Outgoing TCP connections to port 80 (HTTP) are established, and an attempt is made to download a file from the following list (Note: Many Bagle variants attempt to download files from a very large list of sites; in fact most of the sites listed are actually believed to be decoys and were never found to be hosting anything malicious):
Method of Infection
This variant has been mass-spammed.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
This Bagle variant has been mass spammed and arrives in a ZIP file. Such as:
- price.zip (containing price_09.exe)
MD5: 61c65b52028ecb6e2d6a81fa69209e77 [exe]
This variant copies itself to the %WinDir% \system32 as WINSHOST.EXE and adds the following registry hooks:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "winshost.exe" = C:\WINDOWS\System32\winshost.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "winshost.exe" = C:\WINDOWS\System32\winshost.exe - HKEY_CURRENT_USER\Software\FirstRun (infection marker)
It drops a file wiwshost.exe in the system directory. This file gets injected into the EXPLORER process and tries to download a file osa6.gif from various sites. (Refer to Symptoms). It also terminates security services like its predecessors and in some cases renames the main security program executable.
Symptoms
Symptoms -
This variant attempts to disable the following services:
- wuauserv
- PAVSRV
- PAVFNSVR
- PSIMSVC
- Pavkre
- PavProt
- PREVSRV
- PavPrSrv
- SharedAccess
- navapsvc
- NPFMntor
- Outpost Firewall
- SAVScan
- SBService
- Symantec Core LC
- ccEvtMgr
- SNDSrvc
- ccPwdSvc
- ccSetMgr.exe
- SPBBCSvc
- KLBLMain
- avg7alrt
- avg7updsvc
- vsmon
- CAISafe
- avpcc
- fsbwsys
- backweb client - 4476822
- backweb client-4476822
- fsdfwd
- F-Secure Gatekeeper Handler Starter
- FSMA
- KAVMonitorService
- navapsvc
- NProtectService
- Norton Antivirus Server
- VexiraAntivirus
- dvpinit
- dvpapi
- schscnt
- BackWeb Client - 7681197
- F-Secure Gatekeeper Handler Starter
- FSMA
- AVPCC
- KAVMonitorService
- Norman NJeeves
- NVCScheduler
- nvcoas
- Norman ZANDA
- PASSRV
- SweepNet
- SWEEPSRV.SYS
- NOD32ControlCenter
- NOD32Service
- PCCPFW
- Tmntsrv
- AvxIni
- XCOMM
- ravmon8
- SmcService
- BlackICE
- PersFW
- McAfee Firewall
- OutpostFirewall
- NWService
- alerter
- sharedaccess
- NISUM
- NISSERV
- vsmon
- nwclnth
- nwclntg
- nwclnte
- nwclntf
- nwclntd
- nwclntc
- wuauserv
- navapsvc
- Symantec Core LC
- SAVScan
- kavsvc
- DefWatch
- Symantec AntiVirus Client
- NSCTOP
- Symantec Core LC
- SAVScan
- SAVFMSE
- ccEvtMgr
- navapsvc
- ccSetMgr
- VisNetic AntiVirus Plug-in
- McShield
- AlertManger
- McAfeeFramework
- AVExch32Service
- AVUPDService
- McTaskManager
- Network Associates Log Service
- Outbreak Manager
- MCVSRte
- mcupdmgr.exe
- AvgServ
- AvgCore
- AvgFsh
- awhost32
- Ahnlab task Scheduler
- MonSvcNT
- V3MonNT
- V3MonSvc
- FSDFWD
Attempts to delete the following keys:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,Symantec NetDriver Monitor - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,ccApp - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,NAV CfgWiz - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,SSC_UserPrompt - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,McAfee Guardian - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,McAfee.InstantUpdate.Monitor - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,APVXDWIN - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,KAV50 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,avg7_cc - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,avg7_emc - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run,Zone Labs Client - HKLM\SOFTWARE\Symantec
- HKLM\SOFTWARE\McAfee
- HKLM\SOFTWARE\KasperskyLab
- HKLM\SOFTWARE\Agnitum
- HKLM\SOFTWARE\Panda Software
- HKLM\SOFTWARE\Zone Labs
It also attempts to rename the following files:
- mysuperprog.exe
- CCSETMGR.EXE
- CCEVTMGR.EXE
- NAVAPSVC.EXE
- NPFMNTOR.EXE
- symlcsvc.exe
- SPBBCSvc.exe
- SNDSrvc.exe
- ccApp.exe
- ccl30.dll
- ccvrtrst.dll
- LUALL.EXE
- AUPDATE.EXE
- Luupdate.exe
- LUINSDLL.DLL
- RuLaunch.exe
- CMGrdian.exe
- Mcshield.exe
- outpost.exe
- Avconsol.exe
- Vshwin32.exe
- VsStat.exe
- Avsynmgr.exe
- kavmm.exe
- Up2Date.exe
- KAV.exe
- avgcc.exe
- avgemc.exe
- zonealarm.exe
- zatutor.exe
- zlavscan.dll
- zlclient.exe
- isafe.exe
- cafix.exe
- vsvault.dll
- av.dll
- vetredir.dll
- C1CSETMGR.EXE
- CC1EVTMGR.EXE
- NAV1APSVC.EXE
- NPFM1NTOR.EXE
- s1ymlcsvc.exe
- SP1BBCSvc.exe
- SND1Srvc.exe
- ccA1pp.exe
- cc1l30.dll
- ccv1rtrst.dll
- LUAL1L.EXE
- AUPD1ATE.EXE
- Luup1date.exe
- LUI1NSDLL.DLL
- RuLa1unch.exe
- CM1Grdian.exe
- Mcsh1ield.exe
- outp1ost.exe
- Avc1onsol.exe
- Vshw1in32.exe
- Vs1Stat.exe
- Av1synmgr.exe
- kav12mm.exe
- Up222Date.exe
- 2A2V.exe
- avgc3c.exe
- avg23emc.exe
- zonealarm.exe
- zatutor.exe
- zlavscan.dll
- zo3nealarm.exe
- zatu6tor.exe
- zl5avscan.dll
- zlcli6ent.exe
- is5a6fe.exe
- c6a5fix.exe
- vs6va5ult.dll
- a5v.dll
- ve6tre5dir.dll
The trojan tries to kill the following processes:
- NUPGRADE.EXE
- MCUPDATE.EXE
- ATUPDATER.EXE
- AUPDATE.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- FIREWALL.EXE
- ATUPDATER.EXE
- LUALL.EXE
- DRWEBUPW.EXE
- AUTODOWN.EXE
- NUPGRADE.EXE
- OUTPOST.EXE
- ICSSUPPNT.EXE
- ICSUPP95.EXE
- ESCANH95.EXE
- AVXQUAR.EXE
- ESCANHNT.EXE
- UPGRADER.EXE
- AVXQUAR.EXE
- AVWUPD32.EXE
- AVPUPD.EXE
- CFIAUDIT.EXE
- UPDATE.EXE
Outgoing TCP connections to port 80 (HTTP) are established, and an attempt is made to download a file from the following list (Note: Many Bagle variants attempt to download files from a very large list of sites; in fact most of the sites listed are actually believed to be decoys and were never found to be hosting anything malicious):
Method of Infection
Method of Infection -
This variant has been mass-spammed.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
