Docstoc

Trojan Summary

Document Sample
Trojan Summary Powered By Docstoc
					Trojan Summary
Trojan Name W32/Bagle.ci Risk Assessment Corporate User : Low Home User Trojan Information Discovery Date: Origin: Length: Type: SubType: Minimum DAT: Updated DAT: Minimum Engine: Description Added: Description Updated: Trojan Characteristics This Bagle variant has been mass spammed and arrives in a ZIP file. It is heuristically detected as 'Virus or variant New Poly Win32' by 4424 DATS and above. This variant copies itself to the %WinDir% \system32 as WINSHOST.EXE and adds the following registry hooks: * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ DownloadManager * HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe It drops a file wiwshost.exe which is detected by 4424 DATs and above as W32/Bagle.gen@MM . This file gets injected into the EXPLORER process and tries to download a file osa6.gif from various sites. (Refer to Symptoms). It also terminates security services like its predecessors and in some cases renames the main security program executable. Sets to "disable" the following services: * HKLM\System\CurrentControlSet\Services\wuauserv * HKLM\System\CurrentControlSet\Services\SharedAccess * HKLM\System\CurrentControlSet\Services\vsmon * HKLM\System\CurrentControlSet\Services\Alerter * HKLM\System\CurrentControlSet\Services\wuauserv * HKLM\System\CurrentControlSet\Services\McShield * HKLM\System\CurrentControlSet\Services\McAfeeFramework * HKLM\System\CurrentControlSet\Services\McTaskManager 09/19/2005 Unknown 17Kb Zip file Trojan Downloader 4584 (09/19/2005) 4584 (09/19/2005) 4.4.00 09/19/2005 09/19/2005 9:30 AM (PT)

: Low

Attempts to delete the following keys: * HKLM\SOFTWARE\Symantec * HKLM\SOFTWARE\McAfee * HKLM\SOFTWARE\KasperskyLab * HKLM\SOFTWARE\Agnitum * HKLM\SOFTWARE\Panda Software * HKLM\SOFTWARE\Zone Labs * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Symantec NetDriver Monitor * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ccApp * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ NAV CfgWiz * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SSC_UserPrompt * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ McAfee Guardian * HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ McAfee.InstantUpdate.Monitor * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ APVXDWIN * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ KAV50 * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ avg7_cc * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ avg7_emc * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client It also modifies the file %WinDir% \system32\drivers\etc\hosts to prevent the user and any running software from contacting certain security websites. The trojanized hosts file is detected as "trojan QHosts" since DAT version 4354. Symptoms

Services with the following names are stopped:              wuauserv PAVSRV PAVFNSVR PSIMSVC Pavkre avProt PREVSRV PavPrSrv SharedAccess navapsvc NPFMntor Outpost Firewall SAVScan

                                                   

SBService Symantec Core LC ccEvtMgr SNDSrvc ccPwdSvc ccSetMgr.exe SPBBCSvc KLBLMain avg7alrt avg7updsvc vsmon CAISafe avpcc fsbwsys backweb client - 4476822 backweb client-4476822 fsdfwd F-Secure Gatekeeper Handler Starter FSMA KAVMonitorService navapsvc NProtectService Norton Antivirus Server VexiraAntivirus dvpinit dvpapi schscnt BackWeb Client - 7681197 F-Secure Gatekeeper Handler Starter FSMA AVPCC KAVMonitorService Norman NJeeves NVCScheduler nvcoas Norman ZANDA PASSRV SweepNet SWEEPSRV.SYS NOD32ControlCenter NOD32Service PCCPFW Tmntsrv AvxIni XCOMM ravmon8 SmcService BlackICE PersFW McAfee Firewall OutpostFirewall NWService

                                            

alerter sharedaccess NISUM NISSERV vsmon nwclnth nwclntg nwclnte nwclntf nwclntd nwclntc wuauserv navapsvc Symantec Core LC SAVScan kavsvc DefWatch Symantec AntiVirus Client NSCTOP Symantec Core LC SAVScan SAVFMSE ccEvtMgr navapsvc ccSetMgr VisNetic AntiVirus Plug-in McShield AlertManger McAfeeFramework AVExch32Service AVUPDService McTaskManager Network Associates Log Service Outbreak Manager MCVSRte mcupdmgr.exe AvgServ AvgCore AvgFsh awhost32 Ahnlab task Scheduler MonSvcNT V3MonNT V3MonSvc FSDFWD

The trojan attempts to delet ethe following file:     mysuperprog.exe CCSETMGR.EXE CCEVTMGR.EXE NAVAPSVC.EXE

                                                   

NPFMNTOR.EXE symlcsvc.exe SPBBCSvc.exe SNDSrvc.exe ccApp.exe ccl30.dll ccvrtrst.dll LUALL.EXE AUPDATE.EXE Luupdate.exe LUINSDLL.DLL RuLaunch.exe CMGrdian.exe Mcshield.exe outpost.exe Avconsol.exe Vshwin32.exe VsStat.exe Avsynmgr.exe kavmm.exe Up2Date.exe KAV.exe avgcc.exe avgemc.exe zonealarm.exe zatutor.exe zlavscan.dll zlclient.exe isafe.exe cafix.exe vsvault.dll av.dll vetredir.dll C1CSETMGR.EXE CC1EVTMGR.EXE NAV1APSVC.EXE NPFM1NTOR.EXE s1ymlcsvc.exe SP1BBCSvc.exe SND1Srvc.exe ccA1pp.exe cc1l30.dll ccv1rtrst.dll LUAL1L.EXE AUPD1ATE.EXE Luup1date.exe LUI1NSDLL.DLL RuLa1unch.exe CM1Grdian.exe Mcsh1ield.exe outp1ost.exe Avc1onsol.exe

                   

Vshw1in32.exe Vs1Stat.exe Av1synmgr.exe kav12mm.exe Up222Date.exe 2A2V.exe avgc3c.exe avg23emc.exe zonealarm.exe zatutor.exe zlavscan.dll zo3nealarm.exe zatu6tor.exe zl5avscan.dll zlcli6ent.exe is5a6fe.exe c6a5fix.exe vs6va5ult.dll a5v.dll ve6tre5dir.dll

The trojan tries to kill the following processes:                         NUPGRADE.EXE MCUPDATE.EXE ATUPDATER.EXE AUPDATE.EXE AUTOTRACE.EXE AUTOUPDATE.EXE FIREWALL.EXE ATUPDATER.EXE LUALL.EXE DRWEBUPW.EXE AUTODOWN.EXE NUPGRADE.EXE OUTPOST.EXE ICSSUPPNT.EXE ICSUPP95.EXE ESCANH95.EXE AVXQUAR.EXE ESCANHNT.EXE UPGRADER.EXE AVXQUAR.EXE AVWUPD32.EXE AVPUPD.EXE CFIAUDIT.EXE UPDATE.EXE

Outgoing TCP connections to port 80 (HTTP) are established, and it tries to download a file from the following list (Note: Many Bagle variants attempt to download files from a very large list of sites; in fact most of the sites listed are actually believed to be decoys and were never found to be hosting anything

malicious):                                                   http://www.yannick-spruyt.be http://www.yesterdays.co.za http://www.yshkj.com http://www.zakazcd.dp.ua http://www.students.stir.ac.uk http://www.zenesoftware.com http://www.zentek.co.za http://www.czzm.com http://www.izoli.sk http://www.zorbas.az http://www.zsbersala.edu.sk http://www.triapex.cz http://www.triptonic.ch http://www.tv-marina.com http://www.trago.com.pt http://www.travelourway.com http://www.megaserve.net http://www.trgd.dobrcz.pl http://www.mild.at http://www.kingsley.ch http://www.mild.at http://www.elvis-presley.ch http://www.gomyhome.com.tw http://www.ider.cl http://www.ascolfibras.com http://www.on24.ee http://www.xojc.com http://www.x-treme.cz http://www.gymzn.cz http://www.xiantong.net http://www.xmpie.com http://www.xmtd.com http://www.onlink.net http://www.discoteka-funfactory.com http://www.toussain.be http://www.idcs.be http://www.gepeters.org http://www.angham.de http://www.idaf.de http://www.bolz.at http://www.societaet.de http://www.ppm-alliance.de http://www.udc-cassinadepecchi.it http://www.universe.sk http://www.jingjuok.com http://www.gemtrox.com.tw http://www.uspowerchair.com http://www.steripharm.com http://www.beall-cpa.com http://www.jcm-american.com

                                                   

http://www.vercruyssenelektro.be http://www.centrovestecasa.it http://www.vet24h.com http://www.vinimeloni.com http://www.vnrvjiet.ac.in http://www.vote2fateh.com http://www.marketvw.com http://www.formholz.at http://www.checkonemedia.nl http://www.fotomax.fi http://www.vw.press-bank.pl http://www.wamba.asn.au http://www.cz-wanjia.com http://www.czwanqing.com http://www.wdlp.co.za http://www.automobilonline.de http://www.bangyan.cn http://www.21ebuild.com http://www.eagle.com.cn http://www.eagleclub.com.cn http://www.sanjinyuan.com http://www.designgong.org http://www.fermegaroy.com http://www.welchcorp.com http://www.snsphoto.com http://www.soeco.org http://www.softmajor.ru http://www.solt3.org http://www.sqnsolutions.com http://www.spacium.biz http://www.speedcom.home.pl http://www.spirit-in-steel.at http://www.spy.az http://www.st-paulus-bonn.dehtdocs http://www.stbs.com.hk http://www.acsohio.com http://www.olva.com.pe http://www.subsplanet.com http://www.sungodbio.com http://www.superbetcs.com http://www.vnn.vn http://www.sydolo.com http://www.szdiheng.com http://www.agria.hu http://www.externet.hu http://www.hondenservice.be http://www.ehc.hu http://www.tcicampus.net http://www.contentproject.com http://www.festivalteatrooccidente.com http://www.techni.com.cn http://www.festivalteatrooccidente.com

                                       

http://www.thaifast.com http://www.thaiventure.com http://www.andi.com.vn http://www.replayu.com http://www.th-mutan.com http://www.thetexasoutfitter.com http://www.tmhcsd1987.friko.pl http://www.thenextstep.tv http://www.wesartproductions.com http://www.wilsonscountry.com http://www.windstar.pl http://www.wise-industries.com http://www.witold.pl http://www.51.net http://www.slovanet.sk http://www.wombband.com http://www.datanet.huwww.datanet.hu http://www.uw.hu http://www.dgy.com.cn http://www.bs-security.de http://www.die-fliesen.de http://www.dom-invest.com.pl http://www.engelhardtgmbh.de http://www.fahrschule-herb.de http://www.fahrschule-lesser.de http://www.gimex-messzeuge.de http://www.inside-tgweb.de http://www.jue-bo.com http://www.niko.de http://www.nikogmbh.com http://www.renegaderc.com http://www.sachsenbuecher.de http://www.scvanravenswaaij.nl http://www.spoden.de http://www.sportnf.com http://www.sweb.cz http://www.tg-sandhausen-basketball.de http://www.thefunkiest.com http://www.jeoushinn.com http://www.presley.ch

Method Of Infection This variant has been mass-spammed. Removal Instructions Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Variants Name Type Sub Type Differences

no known variants Aliases Name no known aliases


				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:126
posted:11/9/2009
language:English
pages:10