For Home

Virus Profile: W32/Bagle.bc@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/29/2004
Date Added: 10/29/2004
Origin: Unknown
Length: 17412 bytes
Type: Virus
Subtype: -
DAT Required: 4403
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Existance to processes and registry keys as mentioned above
  • HTTP connections to several servers on the internet.

Methods of Infection

  • Execution of the infected file.

   

Virus Characteristics

This is a detection for a new Bagle variant.

In initial test shown, that this new varaint did not spread by mail.But it tries to connect to several webservers and tries to download and execute a file.

Installation

The virus copies itself into the Windows System directory as WinXP.exe. For example:

  • C:\WINNT\SYSTEM32\bawindo.exe

It also creates other files in this directory to perform its functions:

  • %SysDir% \bawindo.exeopen
  • %SysDir% \bawindo.exeopenopen

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "bawindo" = %SysDir% \bawindo.exe

A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

  • 'D'r'o'p'p'e'd'S'k'y'N'e't'
  • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
  • [SkyNet.cz]SystemsMutex
  • AdmSkynetJklS003
  • ____--->>>>U<<<<---____
  • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_ 

Process termination:

It tries to stop processes with the following filenames:

  • mcagent.exe
  • mcvsshld.exe
  • mcshield.exe
  • mcvsescn.exe
  • mcvsrte.exe
  • DefWatch.exe
  • Rtvscan.exe
  • ccEvtMgr.exe
  • NISUM.EXE
  • ccPxySvc.exe
  • navapsvc.exe
  • NPROTECT.EXE
  • nopdb.exe
  • ccApp.exe
  • Avsynmgr.exe
  • VsStat.exe
  • Vshwin32.exe
  • alogserv.exe
  • RuLaunch.exe
  • Avconsol.exe
  • PavFires.exe
  • FIREWALL.EXE
  • ATUPDATER.EXE
  • LUALL.EXE
  • DRWEBUPW.EXE
  • AUTODOWN.EXE
  • NUPGRADE.EXE
  • OUTPOST.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • ESCANH95.EXE
  • AVXQUAR.EXE
  • ESCANHNT.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AVXQUAR.EXE
  • AVWUPD32.EXE
  • AVPUPD.EXE
  • CFIAUDIT.EXE
  • UPDATE.EXE
  • NUPGRADE.EXE
  • MCUPDATE.EXE
  • pavsrv50.exe
  • AVENGINE.EXE
  • APVXDWIN.EXE
  • pavProxy.exe
  • navapw32.exe
  • navapsvc.exe
  • ccProxy.exe
  • navapsvc.exe
  • NPROTECT.EXE
  • SAVScan.exe
  • SNDSrvc.exe
  • symlcsvc.exe
  • LUCOMS~1.EXE
  • blackd.exe
  • FrameworkService.exe
  • VsTskMgr.exe
  • SHSTAT.EXE
  • UpdaterUI.exe 

It attemps to download a file for the following URLs:

  • http://www.bottombouncer.com/[..].jpg
  • http://www.bottombouncer.com/[..].jpg
  • http://www.anthonyflanagan.com/[..].jpg
  • http://www.bradster.com/[..].jpg
  • http://www.traverse.com/[..].jpg
  • http://www.ims-i.com/[..].jpg
  • http://www.realgps.com/[..].jpg
  • http://www.aviation-center.de/[..].jpg
  • http://www.gci-bln.de/[..].jpg
  • http://www.pankration.com/[..].jpg
  • http://www.jansenboiler.com/[..].jpg
  • http://www.corpsite.com/[..].jpg
  • http://www.everett.wednet.edu/[..].jpg
  • http://www.onepositiveplace.org/[..].jpg
  • http://www.raecoinc.com/[..].jpg
  • http://www.wwwebad.com/[..].jpg
  • http://www.corpsite.com/[..].jpg
  • http://www.wwwebmaster.com/[..].jpg
  • http://www.wwwebad.com/[..].jpg
  • http://www.dragcar.com/[..].jpg
  • http://www.wwwebad.com/[..].jpg
  • http://www.oohlala-kirkland.com/[..].jpg
  • http://www.calderwoodinn.com/[..].jpg
  • http://www.buddyboymusic.com/[..].jpg
  • http://www.smacgreetings.com/[..].jpg
  • http://www.tkd2xcell.com/[..].jpg
  • http://www.curtmarsh.com/[..].jpg
  • http://www.dontbeaweekendparent.com/[..].jpg
  • http://www.soloconsulting.com/[..].jpg
  • http://www.lasermach.com/[..].jpg
  • http://www.generationnow.net/[..].jpg
  • http://www.flashcorp.com/[..].jpg
  • http://www.kencorbett.com/[..].jpg
  • http://www.FritoPie.NET/[..].jpg
  • http://www.leonhendrix.com/[..].jpg
  • http://www.transportation.gov.bh/[..].jpg
  • http://www.transportation.gov.bh/[..].jpg
  • http://www.jhaforpresident.7p.com/[..].jpg
  • http://www.DarrkSydebaby.com/[..].jpg
  • http://www.cntv.info/[..].jpg
  • http://www.sugardas.lt/[..].jpg
  • http://www.adhdtests.com/[..].jpg
  • http://www.argontech.net/[..].jpg
  • http://www.customloyal.com/[..].jpg
  • http://www.ohiolimo.com/[..].jpg
  • http://www.topko.sk/[..].jpg
  • http://www.alupass.lu/[..].jpg
  • http://www.sigi.lu/[..].jpg
  • http://www.redlightpictures.com/[..].jpg
  • http://www.irinaswelt.de/[..].jpg
  • http://www.bueroservice-it.de/[..].jpg
  • http://www.kranenberg.de/[..].jpg
  • http://www.kranenberg.de/[..].jpg
  • http://www.the-fabulous-lions.de/[..].jpg
  • http://www.the-fabulous-lions.de/[..].jpg
  • http://www.mongolische-renner.de/[..].jpg
  • http://www.mongolische-renner.de/[..].jpg
  • http://www.capri-frames.de/[..].jpg
  • http://www.capri-frames.de/[..].jpg
  • http://www.aimcenter.net/[..].jpg
  • http://www.boneheadmusic.com/[..].jpg
  • http://www.fludir.is/[..].jpg
  • http://www.sljinc.com/[..].jpg
  • http://www.tivogoddess.com/[..].jpg
  • http://www.fcpages.com/[..].jpg
  • http://www.andara.com/[..].jpg
  • http://www.freeservers.com/[..].jpg
  • http://www.programmierung2000.de/[..].jpg
  • http://www.asianfestival.nl/[..].jpg
  • http://www.aviation-center.de/[..].jpg
  • http://www.gci-bln.de/[..].jpg
  • http://www.mass-i.kiev.ua/[..].jpg
  • http://www.jasnet.pl/[..].jpg
  • http://www.atlantisteste.hpg.com.br/[..].jpg
  • http://www.fludir.is/[..].jpg
  • http://www.rieraquadros.com.br/[..].jpg
  • http://www.metal.pl/[..].jpg
  • http://www.handsforhealth.com/[..].jpg
  • http://www.angelartsanctuary.com/[..].jpg
  • http://www.firstnightoceancounty.org/[..].jpg
  • http://www.chinasenfa.com/[..].jpg
  • http://www.chinasenfa.com/[..].jpg
  • http://www.ulpiano.org/[..].jpg
  • http://www.gamp.pl/[..].jpg
  • http://www.vikingpc.pl/[..].jpg
  • http://www.woundedshepherds.com/[..].jpg
  • http://www.cpc.adv.br/[..].jpg
  • http://www.velocityprint.com/[..].jpg
  • http://www.esperanzaparalafamilia.com/[..].jpg
  • http://www.celula.com.mx/[..].jpg
  • http://www.mexis.com/[..].jpg
  • http://www.wecompete.com/[..].jpg
  • http://www.vbw.info/[..].jpg
  • http://www.gfn.org/[..].jpg
  • http://www.aegee.org/[..].jpg
  • http://www.deadrobot.com/[..].jpg
  • http://www.cscliberec.cz/[..].jpg
  • http://www.ecofotos.com.br/[..].jpg
  • http://www.amanit.ru/[..].jpg
  • http://www.bga-gsm.ru/[..].jpg
  • http://www.innnewport.com/[..].jpg
  • http://www.knicks.nl/[..].jpg
  • http://www.srg-neuburg.de/[..].jpg
  • http://www.mepmh.de/[..].jpg
  • http://www.mepbisu.de/[..].jpg
  • http://www.kradtraining.de/[..].jpg
  • http://www.polizeimotorrad.de/[..].jpg
  • http://www.sea.bz.it/[..].jpg
  • http://www.uslungiarue.it/[..].jpg
  • http://www.gcnet.ru/[..].jpg
  • http://www.aimcenter.net/[..].jpg
  • http://www.vandermost.de/[..].jpg
  • http://www.vandermost.de/[..].jpg
  • http://www.szantomierz.art.pl/[..].jpg
  • http://www.immonaut.sk/[..].jpg
  • http://www.eurostavba.sk/[..].jpg
  • http://www.spadochron.pl/[..].jpg
  • http://www.pyrlandia-boogie.pl/[..].jpg
  • http://www.kps4parents.com/[..].jpg
  • http://www.pipni.cz/[..].jpg
  • http://www.selu.edu/[..].jpg
  • http://www.travelchronic.de/[..].jpg
  • http://www.fleigutaetscher.ch/[..].jpg
  • http://www.irakli.org/[..].jpg
  • http://www.oboe-online.com/[..].jpg
  • http://www.oboe-online.com/[..].jpg
  • http://www.pe-sh.com/[..].jpg
  • http://www.idb-group.net/[..].jpg
  • http://www.ceskyhosting.cz/[..].jpg
  • http://www.ceskyhosting.cz/[..].jpg
  • http://www.hartacorporation.com/[..].jpg
  • http://www.glass.la/[..].jpg
  • http://www.glass.la/[..].jpg
  • http://www.24-7-transportation.com/[..].jpg
  • http://www.fepese.ufsc.br/[..].jpg
  • http://www.ellarouge.com.au/[..].jpg
  • http://www.bbsh.org/[..].jpg
  • http://www.boneheadmusic.com/[..].jpg
  • http://www.sljinc.com/[..].jpg
  • http://www.tivogoddess.com/[..].jpg
  • http://www.fcpages.com/[..].jpg
  • http://www.szantomierz.art.pl/[..].jpg
  • http://www.elenalazar.com/[..].jpg
  • http://www.ssmifc.ca/[..].jpg
  • http://www.reliance-yachts.com/[..].jpg
  • http://www.worest.com.ar/[..].jpg
  • http://www.kps4parents.com/[..].jpg
  • http://www.coolfreepages.com/[..].jpg
  • http://www.scanex-medical.fi/[..].jpg
  • http://www.jimvann.com/[..].jpg
  • http://www.orari.net/[..].jpg
  • http://www.himpsi.org/[..].jpg
  • http://www.mtfdesign.com/[..].jpg
  • http://www.jldr.ca/[..].jpg
  • http://www.relocationflorida.com/[..].jpg
  • http://www.rentalstation.com/[..].jpg
  • http://www.approved1stmortgage.com/[..].jpg
  • http://www.velezcourtesymanagement.com/[..].jpg
  • http://www.sunassetholdings.com/[..].jpg
  • http://www.compsolutionstore.com/[..].jpg
  • http://www.uhcc.com/[..].jpg
  • http://www.justrepublicans.com/[..].jpg
  • http://www.pfadfinder-leobersdorf.com/[..].jpg
  • http://www.featech.com/[..].jpg
  • http://www.vinirforge.com/[..].jpg
  • http://www.magicbottle.com.tw/[..].jpg
  • http://www.giantrevenue.com/[..].jpg
  • http://www.couponcapital.net/[..].jpg
  • http://www.crystalrose.ca/[..].jpg
   

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations