VSAntivirus: W32/Bagle.BA,BB - injected into Explorer

[Randy_Bell]

W32/Bagle.BA,BB. It is injected in the Explorer process

Spanish Links:
http://www.vsantivirus.com/bagle-ba.htm
http://www.vsantivirus.com/bagle-bb.htm

English Transl:
http://babelfish.altavista.com/babel...2fbagle-ba.htm
http://babelfish.altavista.com/babel...2fbagle-bb.htm

Quote:

W32/Bagle.BB. It is injected in the Explorer process
http://www.vsantivirus.com/bagle-bb.htm

Name: W32/Bagle.BB
Name NOD32: Win32/Bagle.BB
Type: Trojan horse and worm of Internet
Alias: Bagle.BB, Win32/Bagle.BB, Trojan.Tooso.D, Email-Worm.Win32.Bagle.bb, Win32.Bagle.BB, Win32/Bagle.BB!Worm, Email-Worm.Win32.Bagle.pac
Date: 1/mar/05
Platform: Windows NT, 2000, XP
Size: 34.304 bytes (modified FSG)
Tool of cleaning

This variant of Bagle was detected the 1 of March of 2005, and sent massively in Spam form.

One is a troyano that releases to the worm in the infected machines, acting like dropper. A file "to dropper" has the capacity to create a virus and to infect the system of the user when executing itself.

The troyano is sent like associate with some of these names:

price.zip
price2.zip
price_new.zip
price_08.zip
08_price.zip
newprice.zip
new_price.zp
new__price.zip

The file ZIP always contains the following file:

doc_43.exe

DOC_43.EXE is a copy of the troyano. When it is executed, copy to if same in the following location:

c:\windows\system32\WINSHOST.EXE

It creates the following entrances in the registry to autoejecutar itself in each resumption of Windows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winshost.exe = "winshost.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
winshost.exe = "winshost.exe"

Soon, the troyano releases the following file:

c:\windows\system32\WIWSHOST.EXE

WIWSHOST.EXE is in fact DLL (Dynamic Link Library), of 18,944 bytes, that will be tried to inject in the process of the Explorer.exe being used the function "CreateRemoteThread". This function exists single in Windows with tecnologia NT (NT, 2000, XP). The same one, creates a new thread in any process and executes its code.

After the code injection, WINSHOST.EXE finalizes their execution, and the malicious process called WIWSHOST remains executing itself concealed within the task of the own Explorer.

[Randy_Bell]

McAfee: W32/Bagle.dldr

Risk Assessment
- Home Users: Medium
- Corporate Users: Medium
Date Discovered: 11/1/2004
Date Added: 11/2/2004
Origin: Unknown
Length: Varies (PeX packed)
Type: Trojan
SubType: Downloader Generic
DAT Required: 4404

Quote:

Virus Characteristics

-- Update 1st March, 2005 --

Due to increased prevalence, the risk assessment of this threat has been raised to MEDIUM. The specified DAT files will be released early to address this threat.

New variants of this Bagle downloader have been mass-spammed in the last 12 hours. These variants are not known at present to be dropped by any mass-mailing Bagle variants, and these variants do not mass-mail themselves.

This variant copies itself to the %WinDir% \system32 as WINSHOST.EXE (34, 304 bytes) and adds the following registry hooks:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DownloadManager
* HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe

It drops a file wiwshost.exe (18,944 bytes), which is detected by 4333DATs and above as W32/Bagle.dll.gen . This file gets injected into the EXPLORER process and tries to download a file zo2.jpg from various sites. (Refer to Symptoms). It also terminates security services like its predecessors and in some cases renames the main security program executable.

See above link for further technical details.