F-Secure
Tools
Email-Worm:W32/Bagle.HR
| Name : | Email-Worm:W32/Bagle.HR |
| Category: | Malware |
| Type: | Trojan-Downloader |
| Platform: | W32 |
| Date of Discovery: | April 08, 2007 |
Summary
Email-Worm:W32/Bagle.HR is a trojan-downloader with rootkit technology.
Disinfection
Detection and Disinfection of Rootkits
If the rootkit is not detected or it is hidden so that FSAV cannot detect its file, it is still possible to detect the malicious activity by scanning the system with generic rootkit scanner, such as F-Secure BlackLight. More information about F-Secure BlackLight Rootkit Elimination Technology can be found here:
http://www.f-secure.com/blacklight/
The BlackLight utility is also able to disinfect computers that are infected by rootkits.
Automatic Disinfection
Usually viruses infecting boot and executable files are automatically disinfected by F-Secure Anti-Virus (FSAV). In some cases, when automatic disinfection is not possible due to file corruption or overwriting virus, a user can select disinfection action by him/herself to make FSAV rename or delete an infected file. In some special cases it is recommended to use specific disinfection tools provided by F-Secure. They can be downloaded from our web or ftp sites:
http://www.f-secure.com/download-purchase/tools.shtml
ftp://ftp.f-secure.com/anti-virus/tools/
F-Secure Anti-Virus can be purchased from our webshop or from our authorised distributors. A trial version F-Secure Anti-Virus, limited to 30 days, can be downloaded from our website:
http://www.f-secure.com/download-purchase/
All the latest versions of FSAV can download anti-virus database updates automatically. However, these updates can be also downloaded and installed manually from our web or ftp sites:
http://www.f-secure.com/download-purchase/updates.shtml
Manual Disinfection
It is not recommended to manually disinfect files and boot sectors from viruses as it can cause damage to a system and make it unbootable.
System Restore issue and file viruses
If Windows ME or XP is used, it is recommended to disable System Restore feature of these operating systems to prevent a computer from re-infection by an already removed malware. The fact is that System Restore feature of these operating systems might save an infected file into the special folder and copy it back to a hard drive it every time it's been renamed or deleted by F-Secure Anti-Virus or by a user. Instructions on how to disable System Restore feature are here:
Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml
Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml
It is recommended to re-enable System Restore after disinfection in order to restore stable system configuration in the future, if any crash or incompatibility issue occurs.
If the rootkit is not detected or it is hidden so that FSAV cannot detect its file, it is still possible to detect the malicious activity by scanning the system with generic rootkit scanner, such as F-Secure BlackLight. More information about F-Secure BlackLight Rootkit Elimination Technology can be found here:
http://www.f-secure.com/blacklight/
The BlackLight utility is also able to disinfect computers that are infected by rootkits.
Automatic Disinfection
Usually viruses infecting boot and executable files are automatically disinfected by F-Secure Anti-Virus (FSAV). In some cases, when automatic disinfection is not possible due to file corruption or overwriting virus, a user can select disinfection action by him/herself to make FSAV rename or delete an infected file. In some special cases it is recommended to use specific disinfection tools provided by F-Secure. They can be downloaded from our web or ftp sites:
http://www.f-secure.com/download-purchase/tools.shtml
ftp://ftp.f-secure.com/anti-virus/tools/
F-Secure Anti-Virus can be purchased from our webshop or from our authorised distributors. A trial version F-Secure Anti-Virus, limited to 30 days, can be downloaded from our website:
http://www.f-secure.com/download-purchase/
All the latest versions of FSAV can download anti-virus database updates automatically. However, these updates can be also downloaded and installed manually from our web or ftp sites:
http://www.f-secure.com/download-purchase/updates.shtml
Manual Disinfection
It is not recommended to manually disinfect files and boot sectors from viruses as it can cause damage to a system and make it unbootable.
System Restore issue and file viruses
If Windows ME or XP is used, it is recommended to disable System Restore feature of these operating systems to prevent a computer from re-infection by an already removed malware. The fact is that System Restore feature of these operating systems might save an infected file into the special folder and copy it back to a hard drive it every time it's been renamed or deleted by F-Secure Anti-Virus or by a user. Instructions on how to disable System Restore feature are here:
Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml
Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml
It is recommended to re-enable System Restore after disinfection in order to restore stable system configuration in the future, if any crash or incompatibility issue occurs.
Additional Details
Upon executing Email-Worm:W32/Bagle.HR for the first time it shows the following dialog box as a decoy:
It will display the same message regardless of the file chosen.
In order to check itself for first execution, Email-Worm:W32/Bagle.HR checks the following registry entry:
If the said registry entry is available it will no longer show the dialog box.
Email-Worm:W32/Bagle.HR drops copies of itself in the following path and filename:
It also drops the following rootkit driver to hide its malicious activities:
To enable automatic execution upon boot, it adds the following auto start entry but waits for 300000 ms before adding it:
It also adds its rootkit driver component as a service by adding the following changes to the registry:
Email-Worm:W32/Bagle.HR deletes the following key in order to prevent the user from booting into safemode:
Email-Worm:W32/Bagle.HR downloads other malware from the following links:
The rootkit driver terminates and deletes the following files that are related to antivirus software:
It will display the same message regardless of the file chosen.
In order to check itself for first execution, Email-Worm:W32/Bagle.HR checks the following registry entry:
• HKEY_CURRENT_USER\Software\FirstRRRun
FirstRR23232Run = dword:00000001
FirstRR23232Run = dword:00000001
If the said registry entry is available it will no longer show the dialog box.
Email-Worm:W32/Bagle.HR drops copies of itself in the following path and filename:
• %Local AppData folder%\hidires\flec003.exe
• %Local AppData folder%\hidires\hidr.exe
It also drops the following rootkit driver to hide its malicious activities:
• %Local AppData folder%\hidires\m_hook.sys
To enable automatic execution upon boot, it adds the following auto start entry but waits for 300000 ms before adding it:
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
drvsyskit = %Local AppData folder%\hidires\hidr.exe
drvsyskit = %Local AppData folder%\hidires\hidr.exe
It also adds its rootkit driver component as a service by adding the following changes to the registry:
• HKLM\SYSTEM\CurrentControlSet\Services\m_hook
Type = dword:00000001
Start = dword:00000004
DisplayName = "Empty"
ImagePath = %Local Application Data Folder%\hidires\m_hook.sys
Type = dword:00000001
Start = dword:00000004
DisplayName = "Empty"
ImagePath = %Local Application Data Folder%\hidires\m_hook.sys
Email-Worm:W32/Bagle.HR deletes the following key in order to prevent the user from booting into safemode:
• HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Email-Worm:W32/Bagle.HR downloads other malware from the following links:
• http://5050clothing.com/mu[REMOVED].php
• http://axelero.hu/mu[REMOVED].php
• http://calamarco.com/mu[REMOVED].php
• http://charlesspaans.com/mu[REMOVED].php
• http://chatsk.wz.cz/mu[REMOVED].php
• http://checkalertusa.com/mu[REMOVED].php
• http://cibernegocios.com.ar/mu[REMOVED].php
• http://cof666.shockonline.net/mu[REMOVED].php
• http://comaxtechnologies.net/mu[REMOVED].php
• http://concellodesandias.com/mu[REMOVED].php
• http://dev.jintek.com/mu[REMOVED].php
• http://dogoodesign.ch/mu[REMOVED].php
• http://donchef.com/mu[REMOVED].php
• http://erich-kaestner-schule-donaueschingen.de/mu[REMOVED].php
• http://foxvcoin.com/mu[REMOVED].php
• http://grupdogus.de/mu[REMOVED].php
• http://hotchillishop.de/mu[REMOVED].php
• http://ilikesimple.com/mu[REMOVED].php
• http://innovation.ojom.net/mu[REMOVED].php
• http://kisalfold.com/mu[REMOVED].php
• http://knickimbit.de/mu[REMOVED].php
• http://kremz.ru/mu[REMOVED].php
• http://massgroup.de/mu[REMOVED].php
• http://poliklinika-vajnorska.sk/mu[REMOVED].php
• http://svatba.viskot.cz/mu[REMOVED].php
• http://systemforex.de/mu[REMOVED].php
• http://uwua132.org/mu[REMOVED].php
• http://v-v-kopretiny.ic.cz/mu[REMOVED].php
• http://vanvakfi.com/mu[REMOVED].php
• http://vega-sps.com/mu[REMOVED].php
• http://vidus.ru/mu[REMOVED].php
• http://viralstrategies.com/mu[REMOVED].php
• http://Vivamodelhobby.com/mu[REMOVED].php
• http://vkinfotech.com/mu[REMOVED].php
• http://vproinc.com/mu[REMOVED].php
• http://vytukas.com/mu[REMOVED].php
• http://waisenhaus-kenya.ch/mu[REMOVED].php
• http://watsrisuphan.org/mu[REMOVED].php
• http://wbecanada.com/mu[REMOVED].php
• http://web-comp.hu/mu[REMOVED].php
• http://webfull.com/mu[REMOVED].php
• http://welvo.com/mu[REMOVED].php
• http://wvpilots.org/mu[REMOVED].php
• http://www.ag.ohio-state.edu/mu[REMOVED].php
• http://www.ag.ohio-state.edu/mu[REMOVED].php
• http://www.chapisteriadaniel.com/mu[REMOVED].php
• http://www.chittychat.com/mu[REMOVED].php
• http://www.cort.ru/mu[REMOVED].php
• http://www.crfj.com/mu[REMOVED].php
• http://www.kersten.de/mu[REMOVED].php
• http://www.kljbwadersloh.de/mu[REMOVED].php
• http://www.voov.de/mu[REMOVED].php
• http://www.walsch.de/mu[REMOVED].php
• http://www.wchat.cz/mu[REMOVED].php
• http://www.wg-aufbau-bautzen.de/mu[REMOVED].php
• http://www.wzhuate.com/mu[REMOVED].php
• http://xotravel.ru/mu[REMOVED].php
• http://yeniguntugla.com/mu[REMOVED].php
• http://zebrachina.net/mu[REMOVED].php
• http://zsnabreznaknm.sk/mu[REMOVED].php
The rootkit driver terminates and deletes the following files that are related to antivirus software:
• _AVP32.EXE
• _AVPCC.EXE
• _AVPM.EXE
• a2guard.exe
• aavshield.exe
• AckWin32.exe
• ADVCHK.EXE
• AhnSD.exe
• airdefense.exe
• ALERTSVC.EXE
• ALMon.exe
• ALOGSERV.EXE
• ALsvc.exe
• amon.exe
• Anti-Trojan.exe
• AntiVirScheduler
• AntiVirService
• ANTS.EXE
• APVXDWIN.EXE
• Armor2net.exe
• ashAvast.exe
• ashDisp.exe
• ashEnhcd.exe
• ashMaiSv.exe
• ashPopWz.exe
• ashServ.exe
• ashSimpl.exe
• ashSkPck.exe
• ashWebSv.exe
• aswUpdSv.exe
• ATCON.EXE
• ATUPDATER.EXE
• ATWATCH.EXE
• AUPDATE.EXE
• AUTODOWN.EXE
• AUTOTRACE.EXE
• AUTOUPDATE.EXE
• avciman.exe
• Avconsol.exe
• AVENGINE.EXE
• avgamsvr.exe
• avgcc.exe
• AVGCC32.EXE
• AVGCTRL.EXE
• avgemc.exe
• avgfwsrv.exe
• AVGNT.EXE
• avgntdd
• avgntmgr
• AVGSERV.EXE
• AVGUARD.EXE
• avgupsvc.exe
• avinitnt.exe
• AvkServ.exe
• AVKService.exe
• AVKWCtl.exe
• AVP.EXE
• AVP32.EXE
• avpcc.exe
• avpm.exe
• AVPUPD.EXE
• AVSCHED32.EXE
• avsynmgr.exe
• AVWUPD32.EXE
• AVWUPSRV.EXE
• AVXMONITOR9X.EXE
• AVXMONITORNT.EXE
• AVXQUAR.EXE
• BackWeb-4476822.exe
• bdmcon.exe
• bdnews.exe
• bdoesrv.exe
• bdss.exe
• bdsubmit.exe
• bdswitch.exe
• blackd.exe
• blackice.exe
• cafix.exe
• ccApp.exe
• ccEvtMgr.exe
• ccProxy.exe
• ccSetMgr.exe
• CFIAUDIT.EXE
• ClamTray.exe
• ClamWin.exe
• Claw95.exe
• Claw95cf.exe
• cleaner.exe
• cleaner3.exe
• CliSvc.exe
• CMGrdian.exe
• cpd.exe
• DefWatch.exe
• DOORS.EXE
• DrVirus.exe
• drwadins.exe
• drweb32w.exe
• drwebscd.exe
• DRWEBUPW.EXE
• ESCANH95.EXE
• ESCANHNT.EXE
• ewidoctrl.exe
• EzAntivirusRegistrationCheck.exe
• F-AGNT95.EXE
• F-PROT95.EXE
• F-Sched.exe
• F-StopW.EXE
• FAMEH32.EXE
• FAST.EXE
• FCH32.EXE
• FireSvc.exe
• FireTray.exe
• FIREWALL.EXE
• fpavupdm.exe
• freshclam.exe
• FRW.EXE
• fsav32.exe
• fsavgui.exe
• fsbwsys.exe
• fsdfwd.exe
• FSGK32.EXE
• fsgk32st.exe
• fsguiexe.exe
• FSM32.EXE
• FSMA32.EXE
• FSMB32.EXE
• fspex.exe
• fssm32.exe
• gcasDtServ.exe
• gcasServ.exe
• GIANTAntiSpywareMain.exe
• GIANTAntiSpywareUpdater.exe
• GUARD.EXE
• GUARDGUI.EXE
• GuardNT.exe
• HRegMon.exe
• Hrres.exe
• HSockPE.exe
• HUpdate.EXE
• iamapp.exe
• iamserv.exe
• ICLOAD95.EXE
• ICLOADNT.EXE
• ICMON.EXE
• ICSSUPPNT.EXE
• ICSUPP95.EXE
• ICSUPPNT.EXE
• IFACE.EXE
• INETUPD.EXE
• InocIT.exe
• InoRpc.exe
• InoRT.exe
• InoTask.exe
• InoUpTNG.exe
• IOMON98.EXE
• isafe.exe
• ISATRAY.EXE
• ISRV95.EXE
• ISSVC.exe
• JEDI.EXE
• KAV.exe
• kavmm.exe
• KAVPF.exe
• KavPFW.exe
• KAVStart.exe
• KAVSvc.exe
• KAVSvcUI.EXE
• KMailMon.EXE
• KPfwSvc.EXE
• KWatch.EXE
• livesrv.exe
• LOCKDOWN2000.EXE
• LogWatNT.exe
• lpfw.exe
• LUALL.EXE
• LUCOMSERVER.EXE
• Luupdate.exe
• MCAGENT.EXE
• mcmnhdlr.exe
• mcregwiz.exe
• Mcshield.exe
• MCUPDATE.EXE
• mcvsshld.exe
• MINILOG.EXE
• MONITOR.EXE
• MonSysNT.exe
• MOOLIVE.EXE
• MpEng.exe
• mpssvc.exe
• MSMPSVC.exe
• myAgtSvc.exe
• myagttry.exe
• navapsvc.exe
• NAVAPW32.EXE
• NavLu32.exe
• NAVW32.EXE
• NDD32.EXE
• NeoWatchLog.exe
• NeoWatchTray.exe
• NISSERV
• NISUM.EXE
• NMAIN.EXE
• nod32.exe
• nod32krn.exe
• nod32kui.exe
• NORMIST.EXE
• notstart.exe
• npavtray.exe
• NPFMNTOR.EXE
• npfmsg.exe
• NPROTECT.EXE
• NSCHED32.EXE
• NSMdtr.exe
• NssServ.exe
• NssTray.exe
• ntrtscan.exe
• NTXconfig.exe
• NUPGRADE.EXE
• NVC95.EXE
• Nvcod.exe
• Nvcte.exe
• Nvcut.exe
• NWService.exe
• OfcPfwSvc.exe
• OUTPOST.EXE
• PAV.EXE
• PavFires.exe
• PavFnSvr.exe
• Pavkre.exe
• PavProt.exe
• pavProxy.exe
• pavprsrv.exe
• pavsrv51.exe
• PAVSS.EXE
• pccguide.exe
• PCCIOMON.EXE
• pccntmon.exe
• PCCPFW.exe
• PcCtlCom.exe
• PCTAV.exe
• PERSFW.EXE
• pertsk.exe
• PERVAC.EXE
• PNMSRV.EXE
• POP3TRAP.EXE
• POPROXY.EXE
• prevsrv.exe
• PsImSvc.exe
• QHM32.EXE
• QHONLINE.EXE
• QHONSVC.EXE
• QHPF.EXE
• qhwscsvc.exe
• RavMon.exe
• RavTimer.exe
• Realmon.exe
• REALMON95.EXE
• Rescue.exe
• rfwmain.exe
• Rtvscan.exe
• RTVSCN95.EXE
• RuLaunch.exe
• SAVAdminService.exe
• SAVMain.exe
• savprogress.exe
• SAVScan.exe
• SCAN32.EXE
• ScanningProcess.exe
• sched.exe
• sdhelp.exe
• SERVIC~1.EXE
• SHSTAT.EXE
• SiteCli.exe
• smc.exe
• SNDSrvc.exe
• SPBBCSvc.exe
• SPHINX.EXE
• spiderml.exe
• spidernt.exe
• Spiderui.exe
• SpybotSD.exe
• SPYXX.EXE
• SS3EDIT.EXE
• stopsignav.exe
• swAgent.exe
• swdoctor.exe
• SWNETSUP.EXE
• symlcsvc.exe
• SymProxySvc.exe
• SymSPort.exe
• SymWSC.exe
• SYNMGR.EXE
• TAUMON.EXE
• TBMon.exe
• TC.EXE
• tca.exe
• TCM.EXE
• TDS-3.EXE
• TeaTimer.exe
• TFAK.EXE
• THAV.EXE
• THSM.EXE
• Tmas.exe
• tmlisten.exe
• Tmntsrv.exe
• TmPfw.exe
• tmproxy.exe
• TNBUtil.exe
• TRJSCAN.EXE
• Up2Date.exe
• UPDATE.EXE
• UpdaterUI.exe
• upgrepl.exe
• Vba32ECM.exe
• Vba32ifs.exe
• vba32ldr.exe
• Vba32PP3.exe
• VBSNTW.exe
• vchk.exe
• vcrmon.exe
• VetTray.exe
• VirusKeeper.exe
• VPTRAY.EXE
• vrfwsvc.exe
• VRMONNT.EXE
• vrmonsvc.exe
• vrrw32.exe
• VSECOMR.EXE
• Vshwin32.exe
• vsmon.exe
• vsserv.exe
• VsStat.exe
• WATCHDOG.EXE
• WebProxy.exe
• Webscanx.exe
• WEBTRAP.EXE
• WGFE95.EXE
• Winaw32.exe
• winroute.exe
• winss.exe
• winssnotify.exe
• WRADMIN.EXE
• WRCTRL.EXE
• xcommsvr.exe
• zatutor.exe
• ZAUINST.EXE
• zlclient.exe
• zonealarm.exe