Troj/BagleDl-M

Category:	Viruses and Spyware
Type:	Trojan
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/BagleDl-M is a Trojan for the Windows platform.

The Trojan copies itself to the Windows system folder as winshost.exe and creates the following registry entries in order to run each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
winshost.exe
<Windows system folder>\winshost.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winshost.exe
<Windows system folder>\winshost.exe

The Trojan also drops a file to the Windows system folder as wiwshost.exe.

Troj/BagleDl-M may alter registry values under the following:

HKLM\Software\Microsoft\DownloadManager
<various entries>

HKLM\SYSTEM\CurrentControlSet\Services\Alerter
Start
dword:00000004 (disabled)

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
dword:00000004 (disabled)

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
dword:00000004 (disabled)

Troj/BagleDl-M attempts to disable other applications by removing the following registry values:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Symantec NetDriver Monitor

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ccApp

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NAV CfgWiz

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SSC_UserPrompt

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Guardian

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
McAfee.InstantUpdate.Monitor

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
APVXDWIN

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
KAV50

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
avg7_cc

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
avg7_emc

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Zone Labs Client

HKLM\Software\Symantec

HKLM\Software\McAfee

HKLM\Software\KasperskyLab

HKLM\Software\Agnitum

HKLM\Software\Panda Software

HKLM\Software\Zone Labs

Troj/BagleDl-M searches for the following files and renames them to similar names in an attempt to avoid them being run by other processes:

AUPDATE.EXE
av.dll
Avconsol.exe
avgcc.exe
avgemc.exe
Avsynmgr.exe
cafix.exe
ccApp.exe
CCEVTMGR.EXE
ccl30.dll
CCSETMGR.EXE
ccvrtrst.dll
CMGrdian.exe
isafe.exe
KAV.exe
kavmm.exe
LUALL.EXE
LUINSDLL.DLL
Luupdate.exe
Mcshield.exe
NAVAPSVC.EXE
NPFMNTOR.EXE
outpost.exe
RuLaunch.exe
SNDSrvc.exe
SPBBCSvc.exe
symlcsvc.exe
Up2Date.exe
vetredir.dll
Vshwin32.exe
VsStat.exe
vsvault.dll
zatutor.exe
zlavscan.dll
zlclient.exe
zonealarm.exe

For example, if the Trojan finds a file named zonealarm.exe it renames the file to zo3nealarm.exe.

Troj/BagleDl-M writes the following data to the HOSTS file (typically located in <Windows system folder>\drivers\etc\) in an attempt to restrict access to several URLs:

127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 engine.awaps.net
127.0.0.1 f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 fastclick.net
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 ftp://downloads1.kaspersky-labs.com/updates/
127.0.0.1 ftp://ftp.avp.ch/updates/
127.0.0.1 ftp://ftp.kasperskylab.ru/updates/
127.0.0.1 ftp://updates3.kaspersky-labs.com/updates/
127.0.0.1 go.microsoft.com
127.0.0.1 http://downloads1.kaspersky-labs.com/updates/
127.0.0.1 http://updates1.kaspersky-labs.com/updates/
127.0.0.1 http://updates2.kaspersky-labs.com/updates/
127.0.0.1 http://updates3.kaspersky-labs.com/updates/
127.0.0.1 http://updates4.kaspersky-labs.com/updates/
127.0.0.1 http://updates5.kaspersky-labs.com/updates/
127.0.0.1 http://www.kaspersky-labs.com/updates/
127.0.0.1 http://www.kaspersky.ru/updates/
127.0.0.1 ids.kaspersky-labs.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 localhost
127.0.0.1 mast.mcafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www3.ca.com

The Trojan may arrive via email as either dddd.exe or <several random digits>.rar

Troj/BagleDl-M attempts to download files from several remote sites and then run them.

Try Sophos products for free
Download now

Troj/BagleDl-M

Free Mac Anti-Virus

Popular topics