Troj/BagleDl-Q is a downloading Trojan for the Windows platform.
Troj/BagleDl-Q attempts to download a file from one of several preconfigured URLs and execute it.
Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against Troj/BagleDl-Q (detected as Troj/BagDl-Gen) since version 3.93.
Troj/BagleDl-Q is a downloading Trojan for the Windows platform. The Trojan attempts to download a file named osa.gif from 153 separate websites.
When first run the Trojan copies itself to the Windows system folder as winshost.exe and drops a component wiwshost.exe also into the Windows system folder. The dropped component is injected into the explorer.exe process in order to avoid being terminated. The following registry entries are also created by the Trojan so as to auto-start on logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
winshost.exe
<Windows system folder>\winshost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winshost.exe
<Windows system folder>\winshost.exe
The downloaded file is saved as ile.exe in the Windows folder. If the download was successful, this file is then executed.
The Trojan terminates the following processes:
AVExch32Service
AVPCC
AVUPDService
Ahnlab task Scheduler
AlertManger
AvgCore
AvgFsh
AvgServ
AvxIni
BackWeb Client - 7681197
BlackICE
CAISafe
DefWatch
F-Secure Gatekeeper Handler Starter
F-Secure Gatekeeper Handler Starter
FSDFWD
FSMA
FSMA
KAVMonitorService
KAVMonitorService
KLBLMain
MCVSRte
McAfee Firewall
McAfeeFramework
McShield
McTaskManager
MonSvcNT
NISSERV
NISUM
NOD32ControlCenter
NOD32Service
NPFMntor
NProtectService
NSCTOP
NVCScheduler
NWService
Network Associates Log Service
Norman NJeeves
Norman ZANDA
Norton Antivirus Server
Outbreak Manager
Outpost Firewall
OutpostFirewall
PASSRV
PAVFNSVR
PAVSRV
PCCPFW
PREVSRV
PSIMSVC
PavPrSrv
PavProt
Pavkre
PersFW
SAVFMSE
SAVScan
SAVScan
SAVScan
SBService
SNDSrvc
SPBBCSvc
SWEEPSRV.SYS
SharedAccess
SmcService
SweepNet
Symantec AntiVirus Client
Symantec Core LC
Symantec Core LC
Symantec Core LC
Tmntsrv
V3MonNT
V3MonSvc
VexiraAntivirus
VisNetic AntiVirus Plug-in
XCOMM
alerter
avg7alrt
avg7updsvc
avpcc
awhost32
backweb client - 4476822
backweb client-4476822
ccEvtMgr
ccEvtMgr
ccPwdSvc
ccSetMgr
ccSetMgr.exe
dvpapi
dvpinit
fsbwsys
fsdfwd
kavsvc
mcupdmgr.exe
navapsvc
navapsvc
navapsvc
navapsvc
nvcoas
nwclntc
nwclntd
nwclnte
nwclntf
nwclntg
nwclnth
ravmon8
schscnt
sharedaccess
vsmon
vsmon
wuauserv
wuauserv
Troj/BagleDl-Q deletes registry entries from the following locations:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec NetDriver Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NAV CfgWiz
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SSC_UserPrompt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
McAfee Guardian
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
McAfee.InstantUpdate.Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
APVXDWIN
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KAV50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avg7_cc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avg7_emc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Zone Labs Client
HKLM\SOFTWARE\Symantec
HKLM\SOFTWARE\McAfee
HKLM\SOFTWARE\KasperskyLab
HKLM\SOFTWARE\Agnitum
HKLM\SOFTWARE\Panda Software
HKLM\SOFTWARE\Zone Labs
Troj/BagleDl-Q attempts to delete or rename files with any of the following names from all fixed drives:
AUPDATE.EXE
av.dll
Avconsol.exe
avgcc.exe
avgemc.exe
Avsynmgr.exe
cafix.exe
ccApp.exe
CCEVTMGR.EXE
ccl30.dll
CCSETMGR.EXE
ccvrtrst.dll
CMGrdian.exe
isafe.exe
KAV.exe
kavmm.exe
LUALL.EXE
LUINSDLL.DLL
Luupdate.exe
Mcshield.exe
NAVAPSVC.EXE
NPFMNTOR.EXE
outpost.exe
RuLaunch.exe
SNDSrvc.exe
SPBBCSvc.exe
symlcsvc.exe
Up2Date.exe
vetredir.dll
Vshwin32.exe
VsStat.exe
vsvault.dll
zatutor.exe
zlavscan.dll
zlclient.exe
zonealarm.exe
Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against Troj/BagleDl-Q (detected as Troj/BagDl-Gen) since version 3.93.