Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win32/Bagle.BA

The Bagle.BA trojan dropper is packed by FSG, the file header is patched.

Note: In the following text, %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

Upon execution the dropper copies itself into the %system% folder with the fixed name WINSHOST.EXE. The filesize of this file is 34.304 Bytes.
It adds the following registry values to ensure automatic execution:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe" = "winshost.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe" = "winshost.exe"

Then it drops a file called WIWSHOST.EXE, which is a dynamic link library file (18.944 bytes), in the %system% folder.
This file is used for code injection via CreateRemoteThread into Explorer.exe.
After the code injection is running, WINSHOST.EXE exits.
The malicious process WIWSHOST is now running cloaked inside the explorer task.
To prevent antivirus software from updating, it overwrites the existing %system32%\Drivers\etc\hosts file with the following data:

127.0.0.1 localhost
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 engine.awaps.net
127.0.0.1 fastclick.net
127.0.0.1 f-secure.com
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 go.microsoft.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.ru
127.0.0.1 ftp://ftp.kasperskylab.ru/updates/
127.0.0.1 ftp://ftp.avp.ch/updates/
127.0.0.1 http://www.kaspersky.ru/updates/
127.0.0.1 http://updates1.kaspersky-labs.com/updates/
127.0.0.1 http://updates3.kaspersky-labs.com/updates/
127.0.0.1 http://updates4.kaspersky-labs.com/updates/
127.0.0.1 http://updates2.kaspersky-labs.com/updates/
127.0.0.1 http://updates5.kaspersky-labs.com/updates/
127.0.0.1 http://downloads1.kaspersky-labs.com/updates/
127.0.0.1 http://www.kaspersky-labs.com/updates/
127.0.0.1 ftp://updates3.kaspersky-labs.com/updates/
127.0.0.1 ftp://downloads1.kaspersky-labs.com/updates/
127.0.0.1 www3.ca.com
127.0.0.1 ids.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com

The downloader process is able to terminate various security programs and tries to download files from several internet servers. After a file is successfully downloaded, it is executed.

NOD32 detected Win32/Bagle.BA using the Advanced Heuristics. Detection using a sample is added since version 1.1014.

©1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission