|
|
|
|
| Virus Encyclopedia |  |
Riskware | |
Alerts | |
Analysis | |
News | |
Glossary | |
Weblog |
 |
| ||||||
|
| ||||||
|
| ||||||
| |||||||||||||
Home / Viruses / Virus Encyclopedia / Malware Descriptions / Trojan Programs / Trojan Downloaders
Trojan-Downloader.Win32.Bagle.cuOther versions: .aj, .f, .g, .h, .p, .r
This malicious program is the Trojan component of worms from the Email-Worm.Win32.Bagle family. It downloads files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. Modifications of this program may vary in size from 200KB to 320KB. InstallationWhen launched, the Trojan copies its executable file to the following directory: %System%\drivers\hidr.exe
In order to ensure that the Trojan is launched automatically each time the system is booted, the Trojan adds a link to its executable file in the system registry: [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "drvsyskit" = "%System%\drivers\hidr.exe" The Trojan also creates the following registry key, and save its configuration to this key: [HKCU\Software\FirstRRRun]
The Trojan then extracts a rootkit driver file from its executable file. %System%\drivers\srosa.sys
The worm creates a service called “Megadrv3, which will automatically launch the driver file each time Windows is booted. The rootkit driver, once installed, enables the Trojan to hide its files on the hard disk, entries in the system registry, and its process in the system list of processes.
The Trojan terminates the following processes: a2cmd.exe a2guard.exe a2HiJackFree.exe a2scan.exe a2service.exe a2start.exe a2upd.exe a2wizard.exe aavshield.exe About.exe AckWin32.exe ADVCHK.EXE Agb5.exe Agb5_.exe AhnSD.exe airdefense.exe ALERTSVC.EXE ALMon.exe ALOGSERV.EXE ALsvc.exe ALUNOTIFY.EXE amon.exe Anti-Trojan.exe AntiVirScheduler AntiVirService AntiVirus.exe ANTS.EXE APVXDWIN.EXE Armor2net.exe ash.exe ashAvast.exe ashAvSrv.exe ashchest.exe ashDisp.exe ashDug.exe ashEnhcd.exe ashLogV.exe ashMaiSv.exe ashPopWz.exe ashQuick.exe ashServ.exe ashsimp2.exe ashSimpl.exe ashSkPcc.exe ashSkPck.exe ashUpd.exe ashWebSv.exe ash_UpdateMediator.exe aswRegSvr.exe aswUpdSv.exe ATCON.EXE ATUPDATER.EXE ATWATCH.EXE AUPDATE.EXE AUTODOWN.EXE AutostartExplorer.exe AUTOTRACE.EXE AUTOUPDATE.EXE avadmin.exe avcenter.exe avciman.exe avcmd.exe avconfig.exe Avconsol.exe AVENGINE.EXE avgamsvr.exe avgcc.exe AVGCC32.EXE AVGCTRL.EXE avgdiag.exe avgemc.exe avgfwsrv.exe avginet.exe avgnpdln.exe avgnpsvc.exe AVGNT.EXE avgntdd avgntmgr avgrssvc.exe avgscan.exe AVGSERV.EXE AVGUARD.EXE avgupden.exe avgupsvc.exe avgvv.exe avgw.exe avgwizfw.exe avinitnt.exe AvkServ.exe AVKService.exe AVKWCtl.exe avnotify.exe AVP.EXE AVP32.EXE avpcc.exe avpm.exe AVPUPD.EXE avscan.exe AVSCHED32.EXE avsynmgr.exe AVWUPD32.EXE AVWUPSRV.EXE AVXMONITOR9X.EXE AVXMONITORNT.EXE AVXQUAR.EXE BackWeb-4476822.exe bdagent.exe bdmcon.exe bdnews.exe bdoesrv.exe bdss.exe bdsubmit.exe bdsubmitwiz.exe BDSurvey.exe bdswitch.exe bdwizreg.exe blackd.exe blackice.exe blindman.exe BTIni.exe BTIniNT.exe cafix.exe CavApp.exe CaVasm.exe CavAUD.exe CavEmSrv.exe Cavmr.exe CavMUD.exe Cavoar.exe CavQ.exe CAVSCons.exe cavse.exe CavSn.exe CavSub.exe CAVSubmit.exe CavUMAS.exe CavUserUpd.exe Cavvl.exe ccApp.exe ccEvtMgr.exe ccProxy.exe ccSetMgr.exe CEmRep.exe CFIAUDIT.EXE CHKDSK.EXE clamscan.exe ClamTray.exe ClamWin.exe Claw95.exe Claw95cf.exe cleaner.exe cleaner3.exe CliSvc.exe CMain.exe CMGrdian.exe copyx64.exe cpd.exe cssexc.exe custinstall.exe custsetup.exe defensewall.exe DefWatch.exe dislite.exe DOORS.EXE dpatrolq.exe drvctl.exe DrVirus.exe DrvMap.exe drwadins.exe drweb32w.exe drweb386.exe drwebscd.exe DRWEBUPW.EXE drwebwcl.exe drwreg.exe ecmd.exe egni.exe ekrn.exe EMM386.EXE ESCANH95.EXE ESCANHNT.EXE ewidoctrl.exe exit_av.exe EzAntivirusRegistrationCheck.exe F-AGNT95.EXE F-PROT95.EXE F-Sched.exe F-StopW.EXE FAMEH32.exe FAST.EXE FCH32.exe firebird.exe FireSvc.exe FireTray.exe FIREWALL.EXE FLOPPY.EXE FLOPPY9x.EXE FLOPPYME.EXE FPAVServer.exe fpavupdm.exe FProtTray.exe fpscan.exe fptrayproc.exe FPWin.exe freshclam.exe FRW.EXE fsample.exe fsaua.exe fsauach.exe fsav.exe fsav32.exe fsavaui.exe fsavgui.exe fsavstrt.exe fsavwsch.exe fsavwscr.exe fsbwsys.exe fsdbuh.exe fsdc.exe fsdfwd.exe FSDIAG.exe FsDiagUi.exe fsfwwsch.exe fsfwwscr.exe fsgetwab.exe fsgk32.exe fsgk32st.exe fsguidll.exe fsguiexe.exe FSHDLL32.exe fshelp.exe FSHOTFIX.exe fsihcomp.exe fsihs.exe FSIMAGE.EXE FSLAUNCH.exe FSM32.exe FSMA32.exe FSMB32.exe fspc.exe fspex.exe fsqh.exe fssf.exe fssg.exe fssm32.exe fsstm.exe fssw.exe fstlui.exe fsuninst.exe fsus.exe gcasDtServ.exe gcasServ.exe GIANTAntiSpywareMain.exe GIANTAntiSpywareUpdater.exe GUARD.EXE guardgni.exe GUARDGUI.EXE GuardNT.exe helper.exe hipsdiag.exe HRegMon.exe Hrres.exe HSockPE.exe HUpdate.EXE iamapp.exe iamserv.exe ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSSUPPNT.EXE ICSUPP95.EXE ICSUPPNT.EXE IERegFix.exe IFACE.EXE ih8.exe ih8run.exe ILAUNCHR.exe INETUPD.EXE InocIT.exe InoRpc.exe InoRT.exe InoTask.exe InoUpTNG.exe InstallCAVS.exe InstallLicense.exe InstallLSP.exe InstLsp.exe INWISE.EXE IOMON98.EXE isafe.exe ISATRAY.EXE ISPNews.exe isPwdsvc.exe ISRV95.EXE ISSVC.exe isUAC.exe JEDI.EXE KAV.exe kavmm.exe KAVPF.exe KavPFW.exe KAVStart.exe KAVSvc.exe KAVSvcUI.EXE KMailMon.EXE KPfwSvc.EXE KWatch.EXE licmgr.exe livesrv.exe LiveUpdate.exe LOCKDOWN2000.EXE LogWatNT.exe lpfw.exe LUALL.EXE LUCallbackProxy.exe LUCheck.exe LUCOMSERVER.EXE LuComServer_3_2.EXE LuConfig.avciman.exe avcmd.exe avconfig.exe Avconsol.exe AVENGINE.EXE avgamsvr.exe avgcc.exe AVGCC32.EXE AVGCTRL.EXE avgdiag.exe avgemc.exe avgfwsrv.exe avginet.exe avgnpdln.exe avgnpsvc.exe AVGNT.EXE avgntdd avgntmgr avgrssvc.exe avgscan.exe AVGSERV.EXE AVGUARD.EXE avgupden.exe avgupsvc.exe avgvv.exe avgw.exe avgwizfw.exe avinitnt.exe AvkServ.exe AVKService.exe AVKWCtl.exe avnotify.exe AVP.EXE AVP32.EXE avpcc.exe avpm.exe AVPUPD.EXE avscan.exe AVSCHED32.EXE avsynmgr.exe AVWUPD32.EXE AVWUPSRV.EXE AVXMONITOR9X.EXE AVXMONITORNT.EXE AVXQUAR.EXE BackWeb-4476822.exe bdagent.exe bdmcon.exe bdnews.exe bdoesrv.exe bdss.exe bdsubmit.exe bdsubmitwiz.exe BDSurvey.exe bdswitch.exe bdwizreg.exe blackd.exe blackice.exe blindman.exe BTIni.exe BTIniNT.exe cafix.exe CavApp.exe CaVasm.exe CavAUD.exe CavEmSrv.exe Cavmr.exe CavMUD.exe Cavoar.exe CavQ.exe CAVSCons.exe cavse.exe CavSn.exe CavSub.exe CAVSubmit.exe CavUMAS.exe CavUserUpd.exe Cavvl.exe ccApp.exe ccEvtMgr.exe ccProxy.exe ccSetMgr.exe CEmRep.exe CFIAUDIT.EXE CHKDSK.EXE clamscan.exe ClamTray.exe ClamWin.exe Claw95.exe Claw95cf.exe cleaner.exe cleaner3.exe CliSvc.exe CMain.exe CMGrdian.exe copyx64.exe cpd.exe cssexc.exe custinstall.exe custsetup.exe defensewall.exe DefWatch.exe dislite.exe DOORS.EXE dpatrolq.exe drvctl.exe DrVirus.exe DrvMap.exe drwadins.exe drweb32w.exe drweb386.exe drwebscd.exe DRWEBUPW.EXE drwebwcl.exe drwreg.exe ecmd.exe egni.exe ekrn.exe EMM386.EXE ESCANH95.EXE ESCANHNT.EXE ewidoctrl.exe exit_av.exe EzAntivirusRegistrationCheck.exe F-AGNT95.EXE F-PROT95.EXE F-Sched.exe F-StopW.EXE FAMEH32.exe FAST.EXE FCH32.exe firebird.exe FireSvc.exe FireTray.exe FIREWALL.EXE&ध℀␀⨀─ 㐀䄀 䄀 ㌀㔀㜀㌀㈀㠀㌀exe Webscanx.exe WEBTRAP.EXE WGFE95.EXE wil.exe Winaw32.exe WindowList.exe winroute.exe winss.exe winssnotify.exe WRADMIN.EXE WRCTRL.EXE writespid.exe WRPROG.EXE wsctool.exe xcommsvr.exe zatutor.exe ZAUINST.EXE zauninst.exe zlclient.exe zonealarm.exe _AVP32.EXE _AVPCC.EXE _AVPM.EXE The Trojan also stops and deletes the following services: wuauserv Aavmker4 ABVPN2K ADBLOCK.DLL ADFirewall AFWMCL Ahnlab task Scheduler alerter AlertManger AntiVir Service AntiyFirewall ARP.DLL aswMon2 aswRdr aswTdi aswUpdSv Ati HotKey Poller avast! Antivirus avast! Mail Scanner avast! Web Scanner AVEService AVExch32Service AvFlt Avg7Alrt Avg7Core Avg7RsW Avg7RsXP Avg7UpdSvc AvgCore AvgFsh AVGFwSrv AvgFwSvr AvgServ AvgTdi AVIRAMailService AVIRAService avpcc AVUPDService AVWUpSrv AvxIni awhost32 backweb client 4476822 BackWeb Client 7681197 backweb client-4476822 Bdfndisf bdftdif bdss BlackICE BsFileSpy BsFirewall BsMailProxy CAISafe ccEvtMgr ccPwdSvc ccSetMgr ccSetMgr.exe CONTENT.DLL DefWatch DNSCACHE.DLL drwebnet dvpapi dvpinit ewido security suite control ewido security suite driver ewido security suite guard F-Prot Antivirus Update Monitor F-Secure Gatekeeper Handler Starter firewall fsbwsys FSDFWD FSFW FSMA FSAUA F-Secure Gatekeeper Handler Starter FTPFILT.DLL FwcAgent fwdrv Guard NT HSnSFW HSnSPro HTMLFILT.DLL HTTPFILT.DLL IMAPFILT.DLL InoRPC InoRT InoTask Ip6Fw Ip6FwHlp KAVMonitorService KAVSvc KLBLMain KPfwSvc KWatch3 KWatchSvc MAILFILT.DLL McAfee Firewall McAfeeFramework McShield McTaskManager mcupdmgr.exe MCVSRte Microsoft NetWork FireWall Services MonSvcNT MpfService navapsvc Ndisuio NDIS_RD Network Associates Log Service nipsvc NISSERV NISUM NNTPFILT.DLL NOD32ControlCenter NOD32krn NOD32Service Norman NJeeves Norman Type-R Norman ZANDA Norton AntiVirus Server NPDriver NPFMntor NProtectService NSCTOP nvcoas NVCScheduler nwclntc nwclntd nwclnte nwclntf nwclntg nwclnth NWService OfcPfwSvc Outbreak Manager Outpost Firewall OutpostFirewall PASSRV PAVAGENTE PavAtScheduler PAVDRV PAVFIRES PAVFNSVR Pavkre PavProc PavProt PavPrSrv PavReport PAVSRV PCCPFW PCC_PFW PersFW Personal Firewall POP3FILT.DLL PREVSRV PROTECT.DLL PSIMSVC qhwscsvc wscsvc Quick Heal Online Protection ravmon8 RfwService SAVFMSE SAVScan SBService schscnt SECRET.DLL SharedAccess SmcService SNDSrvc SPBBCSvc SpiderNT SweepNet SWEEPSRV.SYS Symantec AntiVirus Client Symantec Core LC The_Hacker_Antivirus Tmntsrv TmPfw tmproxy tmtdi tm_cfw T_H_S_M V3MonNT V3MonSvc Vba32ECM Vba32ifs Vba32Ldr Vba32PP3 VBCompManService VexiraAntivirus VFILT VisNetic AntiVirus Plug-in vrfwsvc vsmon VSSERV WinAntivirus WinRoute WinDefend wuauserv xcomm It downloads a file from one of the following links: http://cortinasdoncarlos.com.ar*** http://www.courdesloges.com*** http://aytocristobal.com*** http://cuidatumiembro.com*** http://cyclegolf.com*** http://cycletech.de*** http://maneironsclimb.com*** http://www.etraining.ee*** http://dadivaria.com*** http://dancefrequency.com.br*** http://darioo.altervista.org*** http://daruliftaa.com*** http://datalifecenter.com*** http://datissa.com*** http://www.dbmetric.com*** http://WWW.DDP.COM.PE*** http://www.debmark.com*** http://decastrogil.es*** http://delattres.com*** http://demianaiello.com.ar*** http://demo.portaltapejara.com*** http://derechoydemocracia.es*** http://www.devergo.com*** http://dezaete.nl*** http://dieppeseinemaritime.com*** http://digitalpicture.com*** http://digicromo.com*** http://diocesequebec.qc.ca*** http://divinaclub.com*** http://divinojocelyn.altervista.org*** http://dj-horoz.com*** http://djsoprano.cp.win.pl*** http://djthefox.com*** http://deniselinsconvites.com.br*** http://lotva.org*** http://oliwia.iskierka.org*** http://dospablos.es*** http://dponcemi.altervista.org*** http://drutplast.com.pl*** http://dudys.bx.pl*** http://dukedem.com*** http://dddesignstudio.com*** http://easylimo.es*** http://doctorlife.org*** http://eccesso.es*** http://ecobos.be*** http://www.edenvillage.it*** http://programaseducativos-salamanca.com*** http://www.ekogips.pl*** http://www.ekotap.pl*** http://elelfogris.com*** http://elemco.pl*** http://elitan.pl*** http://passecdl.co.uk*** http://www.elotron.com*** http://elpantalan.es*** http://industriascarnicaselrobledo.com*** http://www.enco-group.cz*** http://energiesport.com*** http://epamateohernandez.com*** http://eravamo100.altervista.org*** http://esf-ct.com*** http://espaciojoven.org*** http://www.espaceprojets-villejuif.fr*** http://www.eszterlancaruhaz.hu*** http://www.etalon-stroy.ru*** http://www.experiment.lv*** http://streetlions.com*** http://www.false-news.com*** http://falshpolcom.18.com1.ru*** http://www.concretosfamasa.com*** http://fermesdemarie.eolas-services.com*** http://fernandoaureliano.com*** http://fetems.org.br*** http://wolfsdonksport.be*** http://filibertovillalobosguijuelo.com*** http://finz-center.com*** http://www.fitdina.com*** http://fiveuk.fi.funpic.org*** http://flabs.net*** http://fomentocredito.es*** http://fortis-sf.home.pl*** http://fotoastur.com*** http://fouadovedia.com*** http://foxx.fan-sites.org*** http://frauen-ratgeber.com*** http://fritschiclean.ch*** http://www.kfzeintragsservice.de*** http://www.autometasuche.de.*** http://www.s-w-services.co.uk*** http://www.bodis.at*** http://www.musikverein-grosswallstadt.de*** http://tripplexwelt.de*** http://www.weingut-giegerich.de*** http://www.tenbrink-online.de*** http://www.alphazip.com*** http://www.kayaks.cz*** http://galami.sk*** http://galateainteriorismo.com*** http://galixesol.com*** http://www.gan-psifas.co.il*** http://robertsandboles.co.nz*** http://gazetaszkolna.edu.pl*** http://gdri.si*** http://generation80.be*** http://www.georg-kuenzle.ch*** http://giannifalco.com*** http://gim24.icx.pl*** http://giresuneczaciodasi.org.tr*** http://girmantasphotography.com*** http://giustiziasicura.org*** http://glodowka.com.pl*** http://202.162.97.63*** http://brzozowa.v24.pl*** http://goldpartner.pl*** http://gomashie.com*** http://go-modaru.21.com1.ru*** http://gravesite.gr.funpic.org*** http://www.gregorvandermark.com*** http://grupoexpansiona.com*** http://grupogolpe.com*** http://ospkarlino.bulls.net.pl*** http://3g-tech-industries.com*** http://guia-aumento-penis.com*** http://guia-femenina.com*** http://guia-feminina.com*** http://guia-ipc.com*** http://guida-allungamento-pene.com*** http://guide-agrandissement-penis.com*** http://guide-feminin.com*** http://jewelrytools.boo.pl*** http://gustavomendonca.com*** http://gusts.net*** http://www.hanyungprinting.co.uk*** http://hawaiicandy.com*** http://hellsquad.net*** http://www.hellsquad.net*** http://hostalhispanico2.com*** http://hostalhispanico.com*** The downloaded files are saved as follows: %WinDir%\exefqd
under a random name composed of numbers and an .exe extension. Downloaded files will then be launched for execution.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
| |||||||||||||
Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
Email: webmaster@viruslist.com
