Content

W32/Bagle.dldr

Type
Trojan
SubType
Downloader Generic
Discovery Date
11/01/2004
Length
Varies (PeX packed)
Minimum DAT
4404 (11/03/2004)
Updated DAT
5301 (05/22/2008)
Minimum Engine
5.1.00
Description Added
11/02/2004
Description Modified
06/20/2006 1:05 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update 20 June, 2006-- 
A new Bagle variant has been discovered today, both in packed and never-packed form. The never-packed version is proactively detected as W32/Bagle.dldr.  The packed variant is detected as W32/Bagle.fb@MM, so its behavior is the same.

-- Update 11 August, 2005--
The Bagle spammings continue.  Over the past 48 hours several new variants have been mass-spammed.  The author(s) are utilizing Bagle infected system to handle the spamming of the new variants.  Recent attachment names include:

  • increase_in_the_tax.rar
  • increase_in_the_tax.zip
  • taxes.rar
  • the_reporting_of_taxes.rar
  • the_taxation.rar
  • the_taxation.zip
  • to_reduce_the_tax.rar
  • to_reduce_the_tax.zip
  • work and taxes.rar
  • work and taxes.zip

The archive may contain the file taxes.exe .  These new variants are being proactively detected with existing DAT files.

-- Update 8 August, 2005--
There was another round of mass-spamming, of a new Bagle downloader.  Messages may contain an attachment with one of the following names:

  • beach.zip
  • In_park.zip
  • kitten.zip
  • Legs.zip
  • new.zip
  • original.zip

The ZIP files contain a file named foto_bs363.exe (36,864 bytes)
MD5: 0xc488aa78d914c72efb9b0d4c6c97421f

This new variant is proactively detected since the 4527 DAT files.

-- Update 27 June, 2005--
The spamming from yesterday continued today, with filenames such as:

  • ds-rwe.exe
  • f5434.exe

The typical subject line of these messages is The picture is sent on SMS   Detection requirements for these 2 files is the same as yesterday, DAT version 4522.

Note: Stinger has not been updated for either of these two spammings, as these two updates were not classified as Medium or above severity.

-- Update 26 June, 2005--
There was another round of mass-spamming, of a new Bagle downloader.  Messages may contain an attachment with one of the following names:

  • Legs.zip
  • original.zip
  • In_park.zip

The ZIP files contain a file named f22-013.exe (36,864 bytes)
MD5: 0x3f123980866092fedd6bc75e9b273087

This new variant is detected in the 4522 DAT files.

-- Update 31st May, 2005--
There was another round of mass-spamming, of several new Bagle downloaders over the past few hours.  Those messages contain a ZIP attachment.  The ZIP file contains an executable (36532 bytes), such as:

  • 16_05_2005.exe
  • 19_04_2005.exe
  • 20_04_2005.exe
  • 01_05_2005.exe
  • 02_05_2005.exe
  • 03_05_2005.exe

-- Update 20th May, 2005--
This threat has been downgraded to Low-Profiled risk due to a decrease in prevalence.

-- Update 1st March, 2005 --

Due to increased prevalence, the risk assessment of this threat has been raised to MEDIUM. The specified DAT files will be released early to address this threat.

New variants of this Bagle downloader have been mass-spammed in the last 12 hours. These variants are not known at present to be dropped by any mass-mailing Bagle variants, and these variants do not mass-mail themselves.

This variant copies itself to the %WinDir% \system32 as WINSHOST.EXE (34, 304 bytes) and adds the following registry hooks:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    DownloadManager
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe

It drops a file wiwshost.exe (18,944 bytes), which is detected by 4333DATs and above as W32/Bagle.dll.gen . This file gets injected into the EXPLORER process and tries to download a file zo2.jpg from various sites. (Refer to Symptoms). It also terminates security services like its predecessors and in some cases renames the main security program executable.

Sets to "disable" the following services:

  • HKLM\System\CurrentControlSet\Services\wuauserv
  • HKLM\System\CurrentControlSet\Services\SharedAccess
  • HKLM\System\CurrentControlSet\Services\vsmon
  • HKLM\System\CurrentControlSet\Services\Alerter
  • HKLM\System\CurrentControlSet\Services\wuauserv
  • HKLM\System\CurrentControlSet\Services\McShield
  • HKLM\System\CurrentControlSet\Services\McAfeeFramework
  • HKLM\System\CurrentControlSet\Services\McTaskManager

Attempts to delete the following keys:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    Symantec NetDriver Monitor
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    ccApp
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    NAV CfgWiz
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    SSC_UserPrompt
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    McAfee Guardian  
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    McAfee.InstantUpdate.Monitor 
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    APVXDWIN
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    KAV50 
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    avg7_cc 
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    avg7_emc
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client

It also modifies the file %WinDir% \system32\drivers\etc\hosts to prevent the user and any running software from contacting certain security websites. The trojanized hosts file is detected as "trojan QHosts" since DAT version 4354.

The trojan disables any configured HTTP proxy.

The last 3 Bagle Variants (.bb@MM , .bc@MM, .bd@MM) attempt to download a file named G.JPG from various sites and to execute it. In the meantime, some of those sites were hosting an executeable file.

When this file gets executed, it copies itself to the %WinDir% \system32 as WINSHOST.EXE (7172 bytes) and drops another file named WIDSHOST.EXE (11264 bytes) which get injected into the EXPLORER process and tries to download a ZOO.JPG from various sites.

Proactive detection:
Detection and removal of the dropped file is included since 4335 DATs (03/08/04) as W32/Bagle.dll.gen

Symptoms

The trojan tries to kill the following processes:

  • VPUPD.EXE
  • CFIAUDIT.EXE
  • UPDATE.EXE
  • NUPGRADE.EXE
  • MCUPDATE.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • FIREWALL.EXE
  • ATUPDATER.EXE
  • LUALL.EXE
  • DRWEBUPW.EXE
  • AUTODOWN.EXE
  • NUPGRADE.EXE
  • OUTPOST.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • ESCANH95.EXE 

Outgoing TCP connections to port 80 (HTTP) are established, and it tries to download a file from the following list (Note:  Many Bagle variants attempt to download files from a very large list of sites; in fact most of the sites listed are actually believed to be decoys and were never found to be hosting anything malicious):

  • http://www.amanit.ru/[..]zoo.jpg
  • http://www.anthonyflanagan.com/[..]zoo.jpg
  • http://www.approved1stmortgage.com/[..]zoo.jpg
  • http://www.argument.h12.ru/[..]zoo.jpg
  • http://www.arkebek.de/[..]zoo.jpg
  • http://www.artek.org/[..]zoo.jpg
  • http://www.asianfestival.nl/[..]zoo.jpg
  • http://www.astergut.at/[..]zoo.jpg
  • http://www.aviation-center.de/[..]zoo.jpg
  • http://www.bbsh.org/[..]zoo.jpg
  • http://www.besino.com/[..]zoo.jpg
  • http://www.bestbuy.de/[..]zoo.jpg
  • http://www.beta.mtw.ru/[..]zoo.jpg
  • http://www.bga-gsm.ru/[..]zoo.jpg
  • http://www.blessino.com/[..]zoo.jpg
  • http://www.blueeyeinc.com/[..]zoo.jpg
  • http://www.breaklight.be/[..]zoo.jpg
  • http://www.brzesko.net.pl/[..]zoo.jpg
  • http://www.catsystem.com.kg/[..]zoo.jpg
  • http://www.cdnpartner.com.pl/[..]zoo.jpg
  • http://www.ceskyhosting.cz/[..]zoo.jpg
  • http://www.channeland.com/[..]zoo.jpg
  • http://www.compsolutionstore.com/[..]zoo.jpg
  • http://www.concept.kg/[..]zoo.jpg
  • http://www.corpsite.com/[..]zoo.jpg
  • http://www.couponcapital.net/[..]zoo.jpg
  • http://www.DarrkSydebaby.com/[..]zoo.jpg
  • http://www.dehut-westerhoven.nl/[..]zoo.jpg
  • http://www.dhl.kg/[..]zoo.jpg
  • http://www.dierollendedisco.de/[..]zoo.jpg
  • http://www.discobaradventure.be/[..]zoo.jpg
  • http://www.e-nfo.com/[..]zoo.jpg
  • http://www.e-power.com.cn/[..]zoo.jpg
  • http://www.ecobank.kg/[..]zoo.jpg
  • http://www.elenalazar.com/[..]zoo.jpg
  • http://www.epicbiz.com/[..]zoo.jpg
  • http://www.europa.kg/[..]zoo.jpg
  • http://www.everett.wednet.edu/[..]zoo.jpg
  • http://www.externet.hu/[..]zoo.jpg
  • http://www.forester.kg/[..]zoo.jpg
  • http://www.fotocliparts.de/[..]zoo.jpg
  • http://www.fotonw.org/[..]zoo.jpg
  • http://www.freesites.com.br/[..]zoo.jpg
  • http://www.funbunker.de/[..]zoo.jpg
  • http://www.funworld.tv/[..]zoo.jpg
  • http://www.gameser.com@share.gameser.com/[..]zoo.jpg
  • http://www.gci-bln.de/[..]zoo.jpg
  • http://www.gcnet.ru/[..]zoo.jpg
  • http://www.giantrevenue.com/[..]zoo.jpg
  • http://www.himpsi.org/[..]zoo.jpg
  • http://www.i3dvr.com/[..]zoo.jpg
  • http://www.ibigmart.net/[..]zoo.jpg
  • http://www.idb-group.net/[..]zoo.jpg
  • http://www.illusionoflife.net/[..]zoo.jpg
  • http://www.infocuspromo.com/[..]zoo.jpg
  • http://www.irinaswelt.de/[..]zoo.jpg
  • http://www.jansenboiler.com/[..]zoo.jpg
  • http://www.jasnet.pl/[..]zoo.jpg
  • http://www.jcribeiro.com/[..]zoo.jpg
  • http://www.jewelleryamberproducts.com/[..]zoo.jpg
  • http://www.jimvann.com/[..]zoo.jpg
  • http://www.jldr.ca/[..]zoo.jpg
  • http://www.jordanramey.net/[..]zoo.jpg
  • http://www.joy-musik-sound.de/[..]zoo.jpg
  • http://www.justrepublicans.com/[..]zoo.jpg
  • http://www.katel.kg/[..]zoo.jpg
  • http://www.knicks.nl/[..]zoo.jpg
  • http://www.koebers.pl/[..]zoo.jpg
  • http://www.kogaionon.com/[..]zoo.jpg
  • http://www.kplus.kg/[..]zoo.jpg
  • http://www.kradtraining.de/[..]zoo.jpg
  • http://www.kranenberg.de/[..]zoo.jpg
  • http://www.kranenberg.de:113547@/[..]zoo.jpg
  • http://www.kstrus.com.pl/[..]zoo.jpg
  • http://www.ktsonline.de/[..]zoo.jpg
  • http://www.lahelaino.com/[..]zoo.jpg
  • http://www.lawform.com.au/[..]zoo.jpg
  • http://www.leetexgroup.com/[..]zoo.jpg
  • http://www.leshrak.de/[..]zoo.jpg
  • http://www.leshrak.de:prophets@/[..]zoo.jpg
  • http://www.logoseiten.de/[..]zoo.jpg
  • http://www.magicbottle.com.tw/[..]zoo.jpg
  • http://www.mcuserver.cz/[..]zoo.jpg
  • http://www.mega-spass.com/[..]zoo.jpg
  • http://www.mega.kg/[..]zoo.jpg
  • http://www.mepbisu.de/[..]zoo.jpg
  • http://www.mepmh.de/[..]zoo.jpg
  • http://www.mtfdesign.com/[..]zoo.jpg
  • http://www.mtransit.kg/[..]zoo.jpg
  • http://www.neotech.kg/[..]zoo.jpg
  • http://www.nikonfotoshare.com/[..]zoo.jpg
  • http://www.novosti.kg/[..]zoo.jpg
  • http://www.ok.kg/[..]zoo.jpg
  • http://www.onepositiveplace.org/[..]zoo.jpg
  • http://www.online.kg/[..]zoo.jpg
  • http://www.orangesuburban.5u.com/[..]zoo.jpg
  • http://www.otv.ch/[..]zoo.jpg
  • http://www.pageantpage.com/[..]zoo.jpg
  • http://www.pankration.com/[..]zoo.jpg
  • http://www.para-agility.com/[..]zoo.jpg
  • http://www.pdxracing.net/[..]zoo.jpg
  • http://www.pfadfinder-leobersdorf.com/[..]zoo.jpg
  • http://www.pipni.cz/[..]zoo.jpg
  • http://www.pjwstk.edu.pl/[..]zoo.jpg
  • http://www.polizeimotorrad.de/[..]zoo.jpg
  • http://www.proway-consulting.com/[..]zoo.jpg
  • http://www.pugetsoundyc.org/[..]zoo.jpg
  • http://www.pyrlandia-boogie.pl/[..]zoo.jpg
  • http://www.qphoto.co.za/[..]zoo.jpg
  • http://www.raecoinc.com/[..]zoo.jpg
  • http://www.realgps.com/[..]zoo.jpg
  • http://www.realty.kg/[..]zoo.jpg
  • http://www.redlightpictures.com/[..]zoo.jpg
  • http://www.reliance-yachts.com/[..]zoo.jpg
  • http://www.relocationflorida.com/[..]zoo.jpg
  • http://www.rentalstation.com/[..]zoo.jpg
  • http://www.rieraquadros.com.br/[..]zoo.jpg
  • http://www.roaming.kg/[..]zoo.jpg
  • http://www.sacohalle.be/[..]zoo.jpg
  • http://www.scanex-medical.fi/[..]zoo.jpg
  • http://www.scoping4success.com/[..]zoo.jpg
  • http://www.sert.ru/[..]zoo.jpg
  • http://www.sigi.lu/[..]zoo.jpg
  • http://www.spadochron.pl/[..]zoo.jpg
  • http://www.ssc.kg/[..]zoo.jpg
  • http://www.ssmifc.ca/[..]zoo.jpg
  • http://www.stadtmeyers.de/[..]zoo.jpg
  • http://www.stadtmeyers.de:R2D2c3po@/[..]zoo.jpg
  • http://www.sterlingirb.com/[..]zoo.jpg
  • http://www.sunassetholdings.com/[..]zoo.jpg
  • http://www.szantomierz.art.pl/[..]zoo.jpg
  • http://www.szosa.pl/[..]zoo.jpg
  • http://www.tambourenvereine.ch/[..]zoo.jpg
  • http://www.tarnow.opoka.org.pl/[..]zoo.jpg
  • http://www.tc-muraene.com/[..]zoo.jpg
  • http://www.tc-muraene.com:hunter@/[..]zoo.jpg
  • http://www.theroyalregistry.com/[..]zoo.jpg
  • http://www.transportation.gov.bh/[..]zoo.jpg
  • http://www.tumar.kg/[..]zoo.jpg
  • http://www.tunguska.hu/[..]zoo.jpg
  • http://www.turkeyhomes.com/[..]zoo.jpg
  • http://www.turkeyhomes.com@/[..]zoo.jpg
  • http://www.ulpiano.org/[..]zoo.jpg
  • http://www.unicity.pl/[..]zoo.jpg
  • http://www.vbw.info/[..]zoo.jpg
  • http://www.velezcourtesymanagement.com/[..]zoo.jpg
  • http://www.vorrix.com/[..]zoo.jpg
  • http://www.webpark.pl/[..]zoo.jpg
  • http://www.wecompete.com/[..]zoo.jpg
  • http://www.wp.pl/[..]zoo.jpg
  • http://www.wwwebad.com/[..]zoo.jpg
  • http://www.xpager321.wz.cz/[..]zoo.jpg
  • http://www.yamdiamonds.com/[..]zoo.jpg
  • http://www.zander-yachting.com/[..]zoo.jpg

Method of Infection

This malware is downloaded and executed by some Bagle variants. For further information, please see also:

Removal

All Users :
Use the latest engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stinger has been updated to detect and remove this threat.

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Mitglieder.CN (F-Secure)
  • TROJ_BAGLE.BB (Trend)
  • Trojan.Tooso.J (Symantec)

Characteristics

Characteristics -

-- Update 20 June, 2006-- 
A new Bagle variant has been discovered today, both in packed and never-packed form. The never-packed version is proactively detected as W32/Bagle.dldr.  The packed variant is detected as W32/Bagle.fb@MM, so its behavior is the same.

-- Update 11 August, 2005--
The Bagle spammings continue.  Over the past 48 hours several new variants have been mass-spammed.  The author(s) are utilizing Bagle infected system to handle the spamming of the new variants.  Recent attachment names include:

  • increase_in_the_tax.rar
  • increase_in_the_tax.zip
  • taxes.rar
  • the_reporting_of_taxes.rar
  • the_taxation.rar
  • the_taxation.zip
  • to_reduce_the_tax.rar
  • to_reduce_the_tax.zip
  • work and taxes.rar
  • work and taxes.zip

The archive may contain the file taxes.exe .  These new variants are being proactively detected with existing DAT files.

-- Update 8 August, 2005--
There was another round of mass-spamming, of a new Bagle downloader.  Messages may contain an attachment with one of the following names:

  • beach.zip
  • In_park.zip
  • kitten.zip
  • Legs.zip
  • new.zip
  • original.zip

The ZIP files contain a file named foto_bs363.exe (36,864 bytes)
MD5: 0xc488aa78d914c72efb9b0d4c6c97421f

This new variant is proactively detected since the 4527 DAT files.

-- Update 27 June, 2005--
The spamming from yesterday continued today, with filenames such as:

  • ds-rwe.exe
  • f5434.exe

The typical subject line of these messages is The picture is sent on SMS   Detection requirements for these 2 files is the same as yesterday, DAT version 4522.

Note: Stinger has not been updated for either of these two spammings, as these two updates were not classified as Medium or above severity.

-- Update 26 June, 2005--
There was another round of mass-spamming, of a new Bagle downloader.  Messages may contain an attachment with one of the following names:

  • Legs.zip
  • original.zip
  • In_park.zip

The ZIP files contain a file named f22-013.exe (36,864 bytes)
MD5: 0x3f123980866092fedd6bc75e9b273087

This new variant is detected in the 4522 DAT files.

-- Update 31st May, 2005--
There was another round of mass-spamming, of several new Bagle downloaders over the past few hours.  Those messages contain a ZIP attachment.  The ZIP file contains an executable (36532 bytes), such as:

  • 16_05_2005.exe
  • 19_04_2005.exe
  • 20_04_2005.exe
  • 01_05_2005.exe
  • 02_05_2005.exe
  • 03_05_2005.exe

-- Update 20th May, 2005--
This threat has been downgraded to Low-Profiled risk due to a decrease in prevalence.

-- Update 1st March, 2005 --

Due to increased prevalence, the risk assessment of this threat has been raised to MEDIUM. The specified DAT files will be released early to address this threat.

New variants of this Bagle downloader have been mass-spammed in the last 12 hours. These variants are not known at present to be dropped by any mass-mailing Bagle variants, and these variants do not mass-mail themselves.

This variant copies itself to the %WinDir% \system32 as WINSHOST.EXE (34, 304 bytes) and adds the following registry hooks:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    DownloadManager
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe

It drops a file wiwshost.exe (18,944 bytes), which is detected by 4333DATs and above as W32/Bagle.dll.gen . This file gets injected into the EXPLORER process and tries to download a file zo2.jpg from various sites. (Refer to Symptoms). It also terminates security services like its predecessors and in some cases renames the main security program executable.

Sets to "disable" the following services:

  • HKLM\System\CurrentControlSet\Services\wuauserv
  • HKLM\System\CurrentControlSet\Services\SharedAccess
  • HKLM\System\CurrentControlSet\Services\vsmon
  • HKLM\System\CurrentControlSet\Services\Alerter
  • HKLM\System\CurrentControlSet\Services\wuauserv
  • HKLM\System\CurrentControlSet\Services\McShield
  • HKLM\System\CurrentControlSet\Services\McAfeeFramework
  • HKLM\System\CurrentControlSet\Services\McTaskManager

Attempts to delete the following keys:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    Symantec NetDriver Monitor
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    ccApp
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    NAV CfgWiz
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    SSC_UserPrompt
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    McAfee Guardian  
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    McAfee.InstantUpdate.Monitor 
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    APVXDWIN
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    KAV50 
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    avg7_cc 
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    avg7_emc
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client

It also modifies the file %WinDir% \system32\drivers\etc\hosts to prevent the user and any running software from contacting certain security websites. The trojanized hosts file is detected as "trojan QHosts" since DAT version 4354.

The trojan disables any configured HTTP proxy.

The last 3 Bagle Variants (.bb@MM , .bc@MM, .bd@MM) attempt to download a file named G.JPG from various sites and to execute it. In the meantime, some of those sites were hosting an executeable file.

When this file gets executed, it copies itself to the %WinDir% \system32 as WINSHOST.EXE (7172 bytes) and drops another file named WIDSHOST.EXE (11264 bytes) which get injected into the EXPLORER process and tries to download a ZOO.JPG from various sites.

Proactive detection:
Detection and removal of the dropped file is included since 4335 DATs (03/08/04) as W32/Bagle.dll.gen

Symptoms

Symptoms -

The trojan tries to kill the following processes:

  • VPUPD.EXE
  • CFIAUDIT.EXE
  • UPDATE.EXE
  • NUPGRADE.EXE
  • MCUPDATE.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • FIREWALL.EXE
  • ATUPDATER.EXE
  • LUALL.EXE
  • DRWEBUPW.EXE
  • AUTODOWN.EXE
  • NUPGRADE.EXE
  • OUTPOST.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • ESCANH95.EXE 

Outgoing TCP connections to port 80 (HTTP) are established, and it tries to download a file from the following list (Note:  Many Bagle variants attempt to download files from a very large list of sites; in fact most of the sites listed are actually believed to be decoys and were never found to be hosting anything malicious):

  • http://www.amanit.ru/[..]zoo.jpg
  • http://www.anthonyflanagan.com/[..]zoo.jpg
  • http://www.approved1stmortgage.com/[..]zoo.jpg
  • http://www.argument.h12.ru/[..]zoo.jpg
  • http://www.arkebek.de/[..]zoo.jpg
  • http://www.artek.org/[..]zoo.jpg
  • http://www.asianfestival.nl/[..]zoo.jpg
  • http://www.astergut.at/[..]zoo.jpg
  • http://www.aviation-center.de/[..]zoo.jpg
  • http://www.bbsh.org/[..]zoo.jpg
  • http://www.besino.com/[..]zoo.jpg
  • http://www.bestbuy.de/[..]zoo.jpg
  • http://www.beta.mtw.ru/[..]zoo.jpg
  • http://www.bga-gsm.ru/[..]zoo.jpg
  • http://www.blessino.com/[..]zoo.jpg
  • http://www.blueeyeinc.com/[..]zoo.jpg
  • http://www.breaklight.be/[..]zoo.jpg
  • http://www.brzesko.net.pl/[..]zoo.jpg
  • http://www.catsystem.com.kg/[..]zoo.jpg
  • http://www.cdnpartner.com.pl/[..]zoo.jpg
  • http://www.ceskyhosting.cz/[..]zoo.jpg
  • http://www.channeland.com/[..]zoo.jpg
  • http://www.compsolutionstore.com/[..]zoo.jpg
  • http://www.concept.kg/[..]zoo.jpg
  • http://www.corpsite.com/[..]zoo.jpg
  • http://www.couponcapital.net/[..]zoo.jpg
  • http://www.DarrkSydebaby.com/[..]zoo.jpg
  • http://www.dehut-westerhoven.nl/[..]zoo.jpg
  • http://www.dhl.kg/[..]zoo.jpg
  • http://www.dierollendedisco.de/[..]zoo.jpg
  • http://www.discobaradventure.be/[..]zoo.jpg
  • http://www.e-nfo.com/[..]zoo.jpg
  • http://www.e-power.com.cn/[..]zoo.jpg
  • http://www.ecobank.kg/[..]zoo.jpg
  • http://www.elenalazar.com/[..]zoo.jpg
  • http://www.epicbiz.com/[..]zoo.jpg
  • http://www.europa.kg/[..]zoo.jpg
  • http://www.everett.wednet.edu/[..]zoo.jpg
  • http://www.externet.hu/[..]zoo.jpg
  • http://www.forester.kg/[..]zoo.jpg
  • http://www.fotocliparts.de/[..]zoo.jpg
  • http://www.fotonw.org/[..]zoo.jpg
  • http://www.freesites.com.br/[..]zoo.jpg
  • http://www.funbunker.de/[..]zoo.jpg
  • http://www.funworld.tv/[..]zoo.jpg
  • http://www.gameser.com@share.gameser.com/[..]zoo.jpg
  • http://www.gci-bln.de/[..]zoo.jpg
  • http://www.gcnet.ru/[..]zoo.jpg
  • http://www.giantrevenue.com/[..]zoo.jpg
  • http://www.himpsi.org/[..]zoo.jpg
  • http://www.i3dvr.com/[..]zoo.jpg
  • http://www.ibigmart.net/[..]zoo.jpg
  • http://www.idb-group.net/[..]zoo.jpg
  • http://www.illusionoflife.net/[..]zoo.jpg
  • http://www.infocuspromo.com/[..]zoo.jpg
  • http://www.irinaswelt.de/[..]zoo.jpg
  • http://www.jansenboiler.com/[..]zoo.jpg
  • http://www.jasnet.pl/[..]zoo.jpg
  • http://www.jcribeiro.com/[..]zoo.jpg
  • http://www.jewelleryamberproducts.com/[..]zoo.jpg
  • http://www.jimvann.com/[..]zoo.jpg
  • http://www.jldr.ca/[..]zoo.jpg
  • http://www.jordanramey.net/[..]zoo.jpg
  • http://www.joy-musik-sound.de/[..]zoo.jpg
  • http://www.justrepublicans.com/[..]zoo.jpg
  • http://www.katel.kg/[..]zoo.jpg
  • http://www.knicks.nl/[..]zoo.jpg
  • http://www.koebers.pl/[..]zoo.jpg
  • http://www.kogaionon.com/[..]zoo.jpg
  • http://www.kplus.kg/[..]zoo.jpg
  • http://www.kradtraining.de/[..]zoo.jpg
  • http://www.kranenberg.de/[..]zoo.jpg
  • http://www.kranenberg.de:113547@/[..]zoo.jpg
  • http://www.kstrus.com.pl/[..]zoo.jpg
  • http://www.ktsonline.de/[..]zoo.jpg
  • http://www.lahelaino.com/[..]zoo.jpg
  • http://www.lawform.com.au/[..]zoo.jpg
  • http://www.leetexgroup.com/[..]zoo.jpg
  • http://www.leshrak.de/[..]zoo.jpg
  • http://www.leshrak.de:prophets@/[..]zoo.jpg
  • http://www.logoseiten.de/[..]zoo.jpg
  • http://www.magicbottle.com.tw/[..]zoo.jpg
  • http://www.mcuserver.cz/[..]zoo.jpg
  • http://www.mega-spass.com/[..]zoo.jpg
  • http://www.mega.kg/[..]zoo.jpg
  • http://www.mepbisu.de/[..]zoo.jpg
  • http://www.mepmh.de/[..]zoo.jpg
  • http://www.mtfdesign.com/[..]zoo.jpg
  • http://www.mtransit.kg/[..]zoo.jpg
  • http://www.neotech.kg/[..]zoo.jpg
  • http://www.nikonfotoshare.com/[..]zoo.jpg
  • http://www.novosti.kg/[..]zoo.jpg
  • http://www.ok.kg/[..]zoo.jpg
  • http://www.onepositiveplace.org/[..]zoo.jpg
  • http://www.online.kg/[..]zoo.jpg
  • http://www.orangesuburban.5u.com/[..]zoo.jpg
  • http://www.otv.ch/[..]zoo.jpg
  • http://www.pageantpage.com/[..]zoo.jpg
  • http://www.pankration.com/[..]zoo.jpg
  • http://www.para-agility.com/[..]zoo.jpg
  • http://www.pdxracing.net/[..]zoo.jpg
  • http://www.pfadfinder-leobersdorf.com/[..]zoo.jpg
  • http://www.pipni.cz/[..]zoo.jpg
  • http://www.pjwstk.edu.pl/[..]zoo.jpg
  • http://www.polizeimotorrad.de/[..]zoo.jpg
  • http://www.proway-consulting.com/[..]zoo.jpg
  • http://www.pugetsoundyc.org/[..]zoo.jpg
  • http://www.pyrlandia-boogie.pl/[..]zoo.jpg
  • http://www.qphoto.co.za/[..]zoo.jpg
  • http://www.raecoinc.com/[..]zoo.jpg
  • http://www.realgps.com/[..]zoo.jpg
  • http://www.realty.kg/[..]zoo.jpg
  • http://www.redlightpictures.com/[..]zoo.jpg
  • http://www.reliance-yachts.com/[..]zoo.jpg
  • http://www.relocationflorida.com/[..]zoo.jpg
  • http://www.rentalstation.com/[..]zoo.jpg
  • http://www.rieraquadros.com.br/[..]zoo.jpg
  • http://www.roaming.kg/[..]zoo.jpg
  • http://www.sacohalle.be/[..]zoo.jpg
  • http://www.scanex-medical.fi/[..]zoo.jpg
  • http://www.scoping4success.com/[..]zoo.jpg
  • http://www.sert.ru/[..]zoo.jpg
  • http://www.sigi.lu/[..]zoo.jpg
  • http://www.spadochron.pl/[..]zoo.jpg
  • http://www.ssc.kg/[..]zoo.jpg
  • http://www.ssmifc.ca/[..]zoo.jpg
  • http://www.stadtmeyers.de/[..]zoo.jpg
  • http://www.stadtmeyers.de:R2D2c3po@/[..]zoo.jpg
  • http://www.sterlingirb.com/[..]zoo.jpg
  • http://www.sunassetholdings.com/[..]zoo.jpg
  • http://www.szantomierz.art.pl/[..]zoo.jpg
  • http://www.szosa.pl/[..]zoo.jpg
  • http://www.tambourenvereine.ch/[..]zoo.jpg
  • http://www.tarnow.opoka.org.pl/[..]zoo.jpg
  • http://www.tc-muraene.com/[..]zoo.jpg
  • http://www.tc-muraene.com:hunter@/[..]zoo.jpg
  • http://www.theroyalregistry.com/[..]zoo.jpg
  • http://www.transportation.gov.bh/[..]zoo.jpg
  • http://www.tumar.kg/[..]zoo.jpg
  • http://www.tunguska.hu/[..]zoo.jpg
  • http://www.turkeyhomes.com/[..]zoo.jpg
  • http://www.turkeyhomes.com@/[..]zoo.jpg
  • http://www.ulpiano.org/[..]zoo.jpg
  • http://www.unicity.pl/[..]zoo.jpg
  • http://www.vbw.info/[..]zoo.jpg
  • http://www.velezcourtesymanagement.com/[..]zoo.jpg
  • http://www.vorrix.com/[..]zoo.jpg
  • http://www.webpark.pl/[..]zoo.jpg
  • http://www.wecompete.com/[..]zoo.jpg
  • http://www.wp.pl/[..]zoo.jpg
  • http://www.wwwebad.com/[..]zoo.jpg
  • http://www.xpager321.wz.cz/[..]zoo.jpg
  • http://www.yamdiamonds.com/[..]zoo.jpg
  • http://www.zander-yachting.com/[..]zoo.jpg

Method of Infection

Method of Infection -

This malware is downloaded and executed by some Bagle variants. For further information, please see also:

Removal -

Removal -

All Users :
Use the latest engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stinger has been updated to detect and remove this threat.

Variants

Variants -

    N/A