F-Secure Trojan Information Pages : Bagle.GE [ Summary ] | [ Disinfection ] | [ Detailed Description ] | [ Detection ] Name: Bagle.GE Type: Trojan, Rootkit Category: Trojan Summary This Bagle related malware tries to disable security related software and hides itself and other Bagle components using rootkit techniques. Disinfection Detection and Disinfection of Rootkits If the rootkit is not detected or it is hidden so that FSAV cannot detect its file, it is still possible to detect the malicious activity by scanning the system with generic rootkit scanner, such as F-Secure BlackLight. More information about F-Secure BlackLight Rootkit Elimination Technology can be found here: http://www.f-secure.com/blacklight/ The BlackLight utility is also able to disinfect computers that are infected by rootkits. Back to the Top Detailed Description Installation to the System When Bagle.GE is run, it creates a directory named 'hidires' in the user's 'Application Data' folder. It copies itself as: %User%\Application Data\hidires\hidr.exe The trojan also drops the following driver file to the same folder: %User%\Application Data\hidires\m_hook.sys The trojan installs the following registry launchpoint as a string value: [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "drvsyskit" = "%System%\hidr.exe" Payload Bagle.GE tries to disable several AV and other security related software. Rootkit Details Bagle.GE loads a kernel-mode driver (m_hook.sys) that it uses to hide itself and another Bagle related malware: http://www.f-secure.com/v-descs/bagle_gf.shtml The driver is able to hide the following items: Processes Files and directories Registry keys and values When it loads it replaces the following function pointers from the system service table: NtCreateFile NtEnumerateKey NtEnumerateValueKey NtQueryDirectoryFile NtQueryKey NtQuerySystemInformation The driver is configured by the user-mode component (hidr.exe). The following data is sent to define items that will be hidden: List of hidden processes: hidr.exe wintems.exe filesnamec001.exe filesnamec002.exe filesnamec003.exe filesnamec004.exe filesnamec005.exe filesnamec006.exe List of hidden files or directories: m_hook.sys ldr64.dll wintems.exe hidr.exe hidires filesnames001.exe filesnames002.exe filesnames003.exe filesnames004.exe filesnames005.exe filesnames006.exe List of hidden registry keys: nkeyjej1 nkeyjej2 List of hidden registry values: drvsyskit german.exe key000s01 key000s02 key000s03 key000s04 key000s05 The user-mode component will also send information about image names that will be considered as trusted and will not be affected by any of the hooks: m_hook.sys hidr.exe wintems.exe filesnamec001.exe filesnamec002.exe filesnamec003.exe filesnamec004.exe filesnamec005.exe filesnamec006.exe The file hiding code is somewhat limited. It is only able to hide a single file from each directory. The NtCreateFile hook is special. Its sole purpose is to delete any security related files when they are opened. This list is also sent by the user-mode component and consists of the following items: KWatch.EXE livesrv.exe LOCKDOWN2000.EXE LogWatNT.exe lpfw.exe LUALL.EXE LUCOMSERVER.EXE Luupdate.exe MCAGENT.EXE mcmnhdlr.exe mcregwiz.exe Mcshield.exe MCUPDATE.EXE mcvsshld.exe MINILOG.EXE MONITOR.EXE MonSysNT.exe MOOLIVE.EXE MpEng.exe mpssvc.exe MSMPSVC.exe myAgtSvc.exe myagttry.exe navapsvc.exe NAVAPW32.EXE NavLu32.exe NAVW32.EXE NDD32.EXE NeoWatchLog.exe NeoWatchTray.exe NISSERV NISUM.EXE NMAIN.EXE nod32.exe nod32krn.exe nod32kui.exe NORMIST.EXE notstart.exe npavtray.exe NPFMNTOR.EXE npfmsg.exe NPROTECT.EXE NSCHED32.EXE NSMdtr.exe NssServ.exe NssTray.exe ntrtscan.exe NTXconfig.exe NUPGRADE.EXE NVC95.EXE Nvcod.exe Nvcte.exe Nvcut.exe NWService.exe OfcPfwSvc.exe OUTPOST.EXE PAV.EXE PavFires.exe PavFnSvr.exe Pavkre.exe PavProt.exe pavProxy.exe pavprsrv.exe pavsrv51.exe PAVSS.EXE pccguide.exe PCCIOMON.EXE pccntmon.exe PCCPFW.exe PcCtlCom.exe PCTAV.exe PERSFW.EXE pertsk.exe PERVAC.EXE PNMSRV.EXE POP3TRAP.EXE POPROXY.EXE prevsrv.exe PsImSvc.exe QHM32.EXE QHONLINE.EXE QHONSVC.EXE QHPF.EXE qhwscsvc.exe RavMon.exe RavTimer.exe Realmon.exe REALMON95.EXE Rescue.exe rfwmain.exe Rtvscan.exe RTVSCN95.EXE RuLaunch.exe SAVAdminService.exe SAVMain.exe savprogress.exe SAVScan.exe SCAN32.EXE ScanningProcess.exe sched.exe sdhelp.exe SERVIC~1.EXE SHSTAT.EXE SiteCli.exe smc.exe SNDSrvc.exe SPBBCSvc.exe SPHINX.EXE spiderml.exe spidernt.exe Spiderui.exe SpybotSD.exe SPYXX.EXE SS3EDIT.EXE stopsignav.exe swAgent.exe swdoctor.exe SWNETSUP.EXE symlcsvc.exe SymProxySvc.exe SymSPort.exe SymWSC.exe SYNMGR.EXE TAUMON.EXE TBMon.exe TC.EXE tca.exe TCM.EXE TDS-3.EXE TeaTimer.exe TFAK.EXE THAV.EXE THSM.EXE Tmas.exe tmlisten.exe Tmntsrv.exe TmPfw.exe tmproxy.exe TNBUtil.exe TRJSCAN.EXE Up2Date.exe UPDATE.EXE UpdaterUI.exe upgrepl.exe Vba32ECM.exe Vba32ifs.exe vba32ldr.exe Vba32PP3.exe VBSNTW.exe vchk.exe vcrmon.exe VetTray.exe VirusKeeper.exe VPTRAY.EXE vrfwsvc.exe VRMONNT.EXE vrmonsvc.exe vrrw32.exe VSECOMR.EXE Vshwin32.exe vsmon.exe vsserv.exe VsStat.exe WATCHDOG.EXE WebProxy.exe Webscanx.exe WEBTRAP.EXE WGFE95.EXE Winaw32.exe winroute.exe winss.exe winssnotify.exe WRADMIN.EXE WRCTRL.EXE xcommsvr.exe zatutor.exe ZAUINST.EXE zlclient.exe zonealarm.exe _AVP32.EXE _AVPCC.EXE _AVPM.EXE In addition, the driver contains code that will prevent certain security related processes and kernel-mode modules from running. However, this code is not yet in use. Back to the Top Detection F-Secure Anti-Virus detects this malware with the following updates: [FSAV_Database_Version] Version = 2006-03-23_04. Back to the Top Write-up: Jarkko Turkulainen, March 24, 2006 Technical Details: Jarkko Turkulainen and Kimmo Kasslin, March 24, 2006 Description Updated: Kimmo Kasslin, March 24, 2006 F-Secure Corporation