F-Secure Virus Descriptions : Bagle.BY

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "winshost.exe" = "%winsysdir%\winshost.exe"

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "winshost.exe" = "%winsysdir%\winshost.exe"

where '%winsysdir%' represents Windows System folder. This ensures the trojan is run every time Windows starts.

When the dropped DLL is activated, it will check for the following registry value:

 [HKCU\Software\FirstRun]
 "FirstRunRR" = dword:value

If the value doesn't exist, the trojan creates it and sets it as 1.

The DLL also opens MS paint (mspaint.exe) as a decoy and executes the actual payload.

Payload

The trojan kills services with the following names:

 Ahnlab task Scheduler
 alerter
 AlertManger
 AVExch32Service
 avg7alrt
 avg7updsvc
 AvgCore
 AvgFsh
 AvgServ
 avpcc
 AVPCC
 AVUPDService
 AvxIni
 awhost32
 backweb client - 4476822
 backweb client-4476822
 BackWeb Client - 7681197
 BlackICE
 CAISafe
 ccEvtMgr
 ccPwdSvc
 ccSetMgr
 ccSetMgr.exe
 DefWatch
 dvpapi
 dvpinit
 fsbwsys
 fsdfwd
 FSDFWD
 F-Secure Gatekeeper Handler Starter
 FSMA
 KAVMonitorService
 kavsvc
 KLBLMain
 McAfee Firewall
 McAfeeFramework
 McShield
 McTaskManager
 mcupdmgr.exe
 MCVSRte
 MonSvcNT
 navapsvc
 Network Associates Log Service
 NISSERV
 NISUM
 NOD32ControlCenter
 NOD32Service
 Norman NJeeves
 Norman ZANDA
 Norton Antivirus Server
 NPFMntor
 NProtectService
 NSCTOP
 nvcoas
 NVCScheduler
 nwclntc
 nwclntd
 nwclnte
 nwclntf
 nwclntg
 nwclnth
 NWService
 Outbreak Manager
 Outpost Firewall
 OutpostFirewall
 PASSRV
 PAVFNSVR
 Pavkre
 PavProt
 PavPrSrv
 PAVSRV
 PCCPFW
 PersFW
 PREVSRV
 PSIMSVC
 ravmon8
 SAVFMSE
 SAVScan
 SBService
 sharedaccess
 SharedAccess
 SmcService
 SNDSrvc
 SPBBCSvc
 SweepNet
 SWEEPSRV.SYS
 Symantec AntiVirus Client
 Symantec Core LC
 Tmntsrv
 V3MonNT
 V3MonSvc
 VexiraAntivirus
 VisNetic AntiVirus Plug-in
 vsmon
 wuauserv
 XCOMM

Then it tries to remove the following registry values:

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Symantec NetDriver Monitor"
 "ccApp"
 "NAV CfgWiz"
 "SSC_UserPrompt"
 "McAfee Guardian"
 "McAfee.InstantUpdate.Monitor"
 "APVXDWIN"
 "KAV50"
 "avg7_cc"
 "avg7_emc"
 "Zone Labs Client"

And also the following registry keys:

 [HKLM\SOFTWARE\Symantec
 [HKLM\SOFTWARE\McAfee
 [HKLM\SOFTWARE\KasperskyLab
 [HKLM\SOFTWARE\Agnitum
 [HKLM\SOFTWARE\Panda Software
 [HKLM\SOFTWARE\Zone Labs

After that the trojan starts a thread that scans all hard drives and deletes file with the following name:

 mysuperprog.exe

Additionally this thread renames files belonging to security and anti-virus software. The following files are renamed:

 CCSETMGR.EXE
 CCEVTMGR.EXE
 NAVAPSVC.EXE
 NPFMNTOR.EXE
 symlcsvc.exe
 SPBBCSvc.exe
 SNDSrvc.exe
 ccApp.exe
 ccl30.dll
 ccvrtrst.dll
 LUALL.EXE
 AUPDATE.EXE
 Luupdate.exe
 LUINSDLL.DLL
 RuLaunch.exe
 CMGrdian.exe
 Mcshield.exe
 outpost.exe
 Avconsol.exe
 Vshwin32.exe
 VsStat.exe
 Avsynmgr.exe
 kavmm.exe
 Up2Date.exe
 KAV.exe
 avgcc.exe
 avgemc.exe
 zonealarm.exe
 zatutor.exe
 zlavscan.dll
 zlclient.exe
 isafe.exe
 cafix.exe
 vsvault.dll
 av.dll
 vetredir.dll

The files above are renamed as:

 C1CSETMGR.EXE
 CC1EVTMGR.EXE
 NAV1APSVC.EXE
 NPFM1NTOR.EXE
 s1ymlcsvc.exe
 SP1BBCSvc.exe
 SND1Srvc.exe
 ccA1pp.exe
 cc1l30.dll
 ccv1rtrst.dll
 LUAL1L.EXE
 AUPD1ATE.EXE
 Luup1date.exe
 LUI1NSDLL.DLL
 RuLa1unch.exe
 CM1Grdian.exe
 Mcsh1ield.exe
 outp1ost.exe
 Avc1onsol.exe
 Vshw1in32.exe
 Vs1Stat.exe
 Av1synmgr.exe
 kav12mm.exe
 Up222Date.exe
 K2A2V.exe
 avgc3c.exe
 avg23emc.exe
 zonealarm.exe
 zatutor.exe
 zlavscan.dll
 zo3nealarm.exe
 zatu6tor.exe
 zl5avscan.dll
 zlcli6ent.exe
 is5a6fe.exe
 c6a5fix.exe
 vs6va5ult.dll
 a5v.dll
 ve6tre5dir.dll

So all the affected software keeps working until next system restart. After restart all affected software will stop working because its files were renamed by the trojan.

After this the trojan terminates services with the following names:

 SharedAccess
 wscsvc

The next step that the trojan does is to create a thread that kills processes with the following names:

 NUPGRADE.EXE
 MCUPDATE.EXE
 ATUPDATER.EXE
 AUPDATE.EXE
 AUTOTRACE.EXE
 AUTOUPDATE.EXE
 FIREWALL.EXE
 ATUPDATER.EXE
 LUALL.EXE
 DRWEBUPW.EXE
 AUTODOWN.EXE
 NUPGRADE.EXE
 OUTPOST.EXE
 ICSSUPPNT.EXE
 ICSUPP95.EXE
 ESCANH95.EXE
 AVXQUAR.EXE
 ESCANHNT.EXE
 UPGRADER.EXE
 AVXQUAR.EXE
 AVWUPD32.EXE
 AVPUPD.EXE
 CFIAUDIT.EXE
 UPDATE.EXE

Finally the trojan tries to download a file 'osa4.gif' from several webservers. The file is placed to Window directory as 're_file.exe' and is run. The trojan tries to download the file from the following sites:

 www.yannick-spruyt.be
 www.yayadownload.com
 www.yesterdays.co.za
 www.yesterdays.co.za
 www.yshkj.com
 www.yshkj.com
 www.zakazcd.dp.ua
 www.students.stir.ac.uk
 www.zenesoftware.com
 www.zentek.co.za
 www.czzm.com
 www.izoli.sk
 www.zorbas.az
 www.zsbersala.edu.sk
 www.triptonic.ch
 www.tv-marina.com
 www.travelourway.com
 www.megaserve.net
 www.trgd.dobrcz.pl
 www.mild.at
 www.mild.at
 www.kingsley.ch
 www.mild.at
 www.elvis-presley.ch
 www.gomyhome.com.tw
 www.ider.cl
 www.ascolfibras.com
 www.on24.ee
 www.xojc.com
 www.x-treme.cz
 www.gymzn.cz
 www.gymzn.cz
 www.gymzn.cz
 www.xiantong.net
 www.xmpie.com
 www.xmpie.com
 www.xmtd.com
 www.onlink.net
 www.discoteka-funfactory.com
 www.toussain.be
 www.idcs.be
 www.gepeters.org
 www.angham.de
 www.idaf.de
 www.bolz.at
 www.societaet.de
 www.ppm-alliance.de
 www.udc-cassinadepecchi.it
 www.universe.sk
 www.jingjuok.com
 www.gemtrox.com.tw
 www.uspowerchair.com
 www.steripharm.com
 www.beall-cpa.com
 www.jcm-american.com
 www.vercruyssenelektro.be
 www.centrovestecasa.it
 www.vet24h.com
 www.vinimeloni.com
 www.vnrvjiet.ac.in
 www.vote2fateh.com
 www.marketvw.com
 www.formholz.at
 www.checkonemedia.nl
 www.fotomax.fi
 www.vw.press-bank.pl
 www.wamba.asn.au
 www.cz-wanjia.com
 www.czwanqing.com
 www.wdlp.co.za
 www.automobilonline.de
 www.bangyan.cn
 www.21ebuild.com
 www.eagle.com.cn
 www.eagleclub.com.cn
 www.eagleclub.com.cn
 www.sanjinyuan.com
 www.designgong.org
 www.fermegaroy.com
 www.welchcorp.com
 www.snsphoto.com
 www.soeco.org
 www.softmajor.ru
 www.solt3.org
 www.sqnsolutions.com
 www.spacium.biz
 www.speedcom.home.pl
 www.trago.com.pt
 www.spirit-in-steel.at
 www.spy.az
 www.st-paulus-bonn.dehtdocs
 www.stbs.com.hk
 www.acsohio.com
 www.olva.com.pe
 www.subsplanet.com
 www.sungodbio.com
 www.superbetcs.com
 www.vnn.vn
 www.sydolo.com
 www.szdiheng.com
 www.agria.hu
 www.externet.hu
 www.hondenservice.be
 www.ehc.hu
 www.tcicampus.net
 www.contentproject.com
 www.festivalteatrooccidente.com
 www.techni.com.cn
 www.festivalteatrooccidente.com
 www.thaifast.com
 www.thaiventure.com
 www.andi.com.vn
 www.replayu.com
 www.th-mutan.com
 www.thetexasoutfitter.com
 www.tmhcsd1987.friko.pl
 www.thenextstep.tv
 www.thenextstep.tv
 www.wesartproductions.com
 www.wilsonscountry.com
 www.windstar.pl
 www.wise-industries.com
 www.witold.pl
 www.witold.pl
 www.51.net
 www.slovanet.sk
 www.wombband.com
 www.datanet.huwww.datanet.hu
 www.uw.hu
 www.dgy.com.cn
 www.bs-security.de
 www.die-fliesen.de
 www.dom-invest.com.pl
 www.engelhardtgmbh.de
 www.triapex.cz
 www.fahrschule-herb.de
 www.fahrschule-lesser.de
 www.gimex-messzeuge.de
 www.inside-tgweb.de
 www.jue-bo.com
 www.niko.de
 www.nikogmbh.com
 www.renegaderc.com
 www.sachsenbuecher.de
 www.scvanravenswaaij.nl
 www.spoden.de
 www.sportnf.com
 www.sweb.cz
 www.tg-sandhausen-basketball.de
 www.thefunkiest.com
 www.thefunkiest.com
 www.jeoushinn.com
 www.presley.ch

We are monitoring the locations in order to catch malware that the trojan's author is going to put there.

Back to the Top

Detection

F-Secure Anti-Virus detects this malware starting from the following update:

[FSAV_Database_Version]

2005-08-09_01

Back to the Top

Technical Details: Jarkko Turkulainen, August 9th, 2005;

Updated: Jarkko Turkulainen, August 12th, 2005;

F-Secure Corporation