Troj/BagleDl-R is a downloader Trojan which will download, install and run new software without notification that it is doing so.
Troj/BagleDl-R includes functionality to:
- inject its code into EXPLORER.EXE
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security related applications
Troj/BagleDl-R then attempts to download files from remote websites and run them.
Troj/BagleDl-R may also run MSPAINT.EXE in an attempt to obfuscate itself.
Troj/BagleDl-R is a downloader Trojan which will download, install and run new software without notification that it is doing so.
Troj/BagleDl-R includes functionality to:
- inject its code into EXPLORER.EXE
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security related applications
When first run Troj/BagleDl-R copies itself to <System>\winshost.exe and creates the file <System>\wiwshost.exe. The file <System>\wiwshost.exe is also detected by Sophos as Troj/BagleDl-R.
The following registry entries are created to run winshost.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winshost.exe
<System>\winshost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winshost.exe
<System>\winshost.exe
Registry entries are set as follows:
HKLM\SYSTEM\CurrentControlSet\Services\Alerter
Start
00000004
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
00000004
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
00000004
Troj/BagleDl-R creates a new version of the HOSTS file. The new HOSTS file will typically contain the following:
127.0.0.1 localhost
Troj/BagleDl-R also attempts to modify or delete the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec NetDriver Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NAV CfgWiz
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SSC_UserPrompt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
McAfee Guardian
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
McAfee.InstantUpdate.Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
APVXDWIN
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KAV50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avg7_cc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avg7_emc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Zone Labs Client
HKLM\SOFTWARE\Symantec
HKLM\SOFTWARE\McAfee
HKLM\SOFTWARE\KasperskyLab
HKLM\SOFTWARE\Agnitum
HKLM\SOFTWARE\Panda Software
HKLM\SOFTWARE\Zone Labs
Troj/BagleDl-R then attempts to download files from remote websites and run them.
Troj/BagleDl-R may also run MSPAINT.EXE in an attempt to obfuscate itself.