Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bagle.CI

   
Type: Trojan Dropper
Affect: 32-bit Windows

Introduction:

Win32/Bagle.CI is a typical Trojan-Dropper. The Dropper is 95664 bytes and the DLL that is dropped is 71098 bytes.

The Trojan is supposed to block access to security software update servers, such as those providing antivirus updates. The Trojan's origin is from the Ukraine, according to Ukraine text inside the binary. The word "Reliz", found in the Trojan is very typical for Trojans of Russian/Ukrainian/Belarusian origin.

Installation and Autostart Techniques:

Upon execution the trojan copies itself into the %Windows% folder as "firewall_anti.exe", 95664 bytes in size, and then drops the Trojan filter Dynamic Link Library "firewall_anti.dll", 71098 bytes in size, in the same directory. Both components are detected by NOD32 as "Win32/Bagle.CI".

Note: %Windows% denotes Windows directory (e.g. C:\WINDOWS) as they differ on various versions of Microsoft Windows.

The Trojan-dropper adds the following registry keys to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"firewall_anti" = "%Windows%\firewall_anti.exe"

Then the dropped DLL filter component is injected into the running Explorer process via CreateRemoteThread API. The following registry keys are then added to apply the filter:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER
"NextInstance" = "00000001"

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
"Class" = "LegacyDriver"

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
"ClassGUID" = "{ClassID}"

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
"ConfigFlags" = "00000000"

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
"DeviceDesc" = "IP Traffic Filter Driver"

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
"Legacy" = "00000001"

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
"Service" = "IpFilterDriver"

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000\Control
"*NewlyCreated*"= "00000000"

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000\Control
"ActiveService" = "IpFilterDriver"

The usual Counter and Instance Enum Registry keys are added as well.

Note: {ClassID} represents a random Class ID.

Filter Dynamic Link Library Component:

The dropped Dynamic Link Library blocks access to the following webservers via incoming and outgoing filter:

ftpav.ca.com
www.pandasoftware.com
pandasoftware.com
clamav.net
www.clamav.net
www.bitdefender.com
bitdefender.com
ravantivirus.com
www.ravantivirus.com
drweb.ru
www.drweb.com
drweb.com
antivir.de
www.antivir.de
216.200.68.152
212.113.20.69
63.210.193.12
84.53.142.22
84.53.142.6
kaspersky.ru
grisoft.com
www3.ca.com
www.viruslist.ru
www.viruslist.com
www.trendmicro.com
www.symantec.com
www.sophos.com
www.networkassociates.com
www.nai.com
www.my-etrust.com
www.mcafee.com
www.kaspersky.ru
www.kaspersky.com
www.kaspersky-labs.com
www.grisoft.com
www.fastclick.net
www.f-secure.com
www.awaps.net
www.avp.ru
www.avp.com
www.avp.ch
windowsupdate.microsoft.com
viruslist.ru
viruslist.com
vil.nai.com
us.mcafee.com
updates5.kaspersky-labs.com
updates4.kaspersky-labs.com
updates3.kaspersky-labs.com
updates2.kaspersky-labs.com
updates1.kaspersky-labs.com
updates.symantec.com
update.symantec.com
trendmicro.com
symantec.com
support.microsoft.com
spd.atdmt.com
sophos.com
service1.symantec.com
securityresponse.symantec.com
secure.nai.com
rads.mcafee.com
phx.corporate-ir.net
office.microsoft.com
networkassociates.com
nai.com
my-etrust.com
msdn.microsoft.com
media.fastclick.net
mcafee.com
mast.mcafee.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
kaspersky.com
kaspersky-labs.com
ids.kaspersky-labs.com
go.microsoft.com
ftp.sophos.com
ftp.kasperskylab.ru
ftp.f-secure.com
ftp.downloads2.kaspersky-labs.com
ftp.avp.ch
fastclick.net
f-secure.com
engine.awaps.net
downloads4.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads.microsoft.com
downloads-us3.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads-eu1.kaspersky-labs.com
download.microsoft.com
download.mcafee.com
dispatch.mcafee.com
customer.symantec.com
clicks.atdmt.com
click.atdmt.com
www.ca.com
ca.com
banners.fastclick.net
banner.fastclick.net
awaps.net
avp.ru
avp.com
avp.ch
atdmt.com
ar.atwola.com
ads.fastclick.net
ad.fastclick.net
ad.doubleclick.net

Note: The Trojan enumerates these webservers and performs for each entry a DNS lookup to get IP addresses and apply the filter to 255.255.255.0, with the result that these webservers cannot be accessed anymore.
This enumerating and DNS lookup is also a reason why the Trojan takes a long time before it starts blocking theses servers.

History: Analysis and Write-up by: Michael St. Neitzel