sobota 25. února 2012

TrojanDownloader:Win32/Bagle.ACB


Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Jun 04, 2010

Aliases
  • W32/Bagle.dldr (McAfee)
  • WORM_BAGLE.DGM (Trend Micro)
  • Trojan-Downloader.Win32.Bagle.bdt (Kaspersky)
  • Trojan Horse (Symantec)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.93.2009.0
Released: Nov 16, 2010
Detection initially created:
Definition: 1.79.42.0
Released: Mar 16, 2010


 

Summary

TrojanDownloader:Win32/Bagle.ACB is a member of Win32/Bagle - a multicomponent family of worms that may spread via email and peer to peer file sharing networks. Win32/Bagle may also contain backdoor functionality that allows unauthorized access to an affected machine, and may download and execute arbitrary files.


 

Symptoms

System changes
The following system changes may indicate the presence of this malware:
Presence of the following file/s:
c:\documents and settings\administrator\application data\drivers\111wfs1intwq.sys
c:\documents and settings\administrator\application data\drivers\11s11ro1s1a2.sys
c:\documents and settings\administrator\application data\drivers\winupgro.exe
c:\documents and settings\administrator\application data\drivers\downld\234656.exe
c:\documents and settings\administrator\application data\drivers\downld\254453.exe
c:\documents and settings\administrator\application data\drivers\downld\254953.exe
c:\documents and settings\administrator\application data\drivers\downld\262828.exe
c:\documents and settings\administrator\application data\drivers\downld\269171.exe
c:\documents and settings\administrator\application data\drivers\downld\269203.exe
c:\documents and settings\administrator\application data\drivers\downld\276296.exe
c:\documents and settings\administrator\application data\drivers\downld\284765.exe
c:\documents and settings\administrator\application data\drivers\downld\284781.exe
c:\documents and settings\administrator\application data\drivers\downld\290296.exe
c:\documents and settings\administrator\application data\drivers\downld\296390.exe
c:\documents and settings\administrator\application data\drivers\downld\296562.exe 

The presence of the following registry modifications :
Adds value: "drvsyskit"
With data: "c:\documents and settings\administrator\application data\drivers\winupgro.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Adds value: "EnableLUA"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System


 

Technical Information (Analysis)

TrojanDownloader:Win32/Bagle.ACB is a member of Win32/Bagle - a multicomponent family of worms that may spread via email and peer to peer file sharing networks. Win32/Bagle may also contain backdoor functionality that allows unauthorized access to an affected machine, and may download and execute arbitrary files.
Installation
When executed, TrojanDownloader:Win32/Bagle.ACB copies itself to c:\documents and settings\administrator\application data\drivers\winupgro.exe.

The malware modifies the following registry entry/ies to ensure that its copy executes at each Windows start:
Adds value: "drvsyskit"
With data: "c:\documents and settings\administrator\application data\drivers\winupgro.exe"
To subkey: HKCU\SOFTWARE\Microsoft\windows\currentversion\run

The malware creates the following file(s) on an affected machine:
  • c:\documents and settings\administrator\application data\drivers\111wfs1intwq.sys - detected as Trojan:WinNT/Bagle.gen
  • c:\documents and settings\administrator\application data\drivers\11s11ro1s1a2.sys
  • c:\documents and settings\administrator\application data\drivers\downld\234656.exe
  • c:\documents and settings\administrator\application data\drivers\downld\254453.exe
  • c:\documents and settings\administrator\application data\drivers\downld\254953.exe
  • c:\documents and settings\administrator\application data\drivers\downld\262828.exe
  • c:\documents and settings\administrator\application data\drivers\downld\269171.exe
  • c:\documents and settings\administrator\application data\drivers\downld\269203.exe
  • c:\documents and settings\administrator\application data\drivers\downld\276296.exe
  • c:\documents and settings\administrator\application data\drivers\downld\284765.exe
  • c:\documents and settings\administrator\application data\drivers\downld\284781.exe
  • c:\documents and settings\administrator\application data\drivers\downld\290296.exe
  • c:\documents and settings\administrator\application data\drivers\downld\296390.exe
  • c:\documents and settings\administrator\application data\drivers\downld\296562.exe
Payload
Terminates processes
TrojanDownloader:Win32/Bagle.ACB terminates a list of specified processes, including those related to particular security applications, should they be running on an affected machine. TrojanDownloader:Win32/Bagle.ACB attempts to terminate the following processes (for example):
_avpm.exe
antivirus.exe
AUPDATE.EXE
AVGW.EXE
avp.exe
avp32.exe
avpcc.exe
blackice.exe
egui.exe
ekrn.exe
fsav.exe
InoRT.exe
kav.exe
Kavstart.exe
msmpeng.exe
msmpsvc.exe
NAVW32.exe
NOD32.EXE
PandaAVEngine.exe
PERSFW.EXE
Note: This list of processes was compiled after observing this behavior in our analysis systems. This list should serve as an example of this behavior only as it may not prove exhaustive on every affected system.

Modifies system security settings
Adds value: "EnableLUA"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
This modification disables the LUA (Least privileged User Account), also known as the "administrator in Admin Approval Mode" user type. In this mode (which is on by default for all members of the local administrators group), every user with administrator privileges runs normally as a standard user; but when an application or the system needs to do something that requires administrator permissions, the user is prompted to approve the task explicitly. With the LUA (Least privileged User Account) disabled, all applications will run by default with all administrative privileges without the user being prompted for explicit consent.

Contacts remote hosts
The malware may contact the following remote hosts using port 80:
abtherm.sk
adtp.net
ahmetyenicekesan.com
altopalanciarural.es
anamoraeventos.com.ar
google.com 

Commonly, malware may contact a remote host for the following purposes:
  • To confirm Internet connectivity
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer

This malware description was produced and published using our automated analysis system's examination of file SHA1B93E9405363001E50D2F8A091F4CC1AEC0CFE09E. If you would like to comment on this analysis, please send your feedback to mmpc-amd@microsoft.com.

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.