• IDP Daily Update #1203
  posted: 07/02/08
  
• NSM Daily Update #1203
  posted: 07/02/08
  
• Deep Inspection 5.3r5 and above, 5.4, 6.0 #1203
  posted: 07/02/08
  
• Deep Inspection 5.1, 5.2, 5.3r4 and below #1201
  posted: 07/02/08
  
• Deep Inspection 5.0 #1132
  posted: 04/01/08
  
• Antivirus
  posted: 07/01/08

• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Email-Worm.Win32.Bagle.bz, .ca, .cb, cc.

11 Aug 2005 16:16:00 +0300

Kaspersky Lab has detected four new Bagle variants today: Bagle.bz, Bagle.ca, and Bagle.cb.

They are all similar, but packed using different packers. They all include a list of URLS which will be periodically checked. Files placed on these sites may be new versions of Bagle, or other malicious programs which can be downloaded and installed on victim machines.

Preliminary analysis shows that Bagle.cc is functionally similar to Email-Worm.Win32.Bagle.bj. It is incapable of replicating independently, and was widely spammed as an attachment to infected messages. Infected messages either have an empty message subject and body, or one which contains random text. The attachment name is "to_reduce_the_tax.zip" and it is a ZIP file approximately 18KB in size.

When launched, the worm will cause the default text editor (usually Notepad) to open and display a blank window.

It creates files named ""winshost.exe" and "wiwshost.exe" in the Windows system directory:

%System%\winshost.exe
%System%\wiwshost.exe

It also creates the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe" = "%System%\winshost.exe"

The worm deletes the following registry keys to prevent antivirus solutions and firewalls from being launched:

[HKLM\SOFTWARE\Agnitum]
[HKLM\SOFTWARE\KasperskyLab]
[HKLM\SOFTWARE\McAfee]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\APVXDWIN]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_cc]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_emc]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccApp]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAV50]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee Guardian]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee.InstantUpdate.Monitor]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client]
[HKLM\SOFTWARE\Panda Software]
[HKLM\SOFTWARE\Symantec]
[HKLM\SOFTWARE\Zone Labs]

It also terminates a range of processes connected with antivirus programs and firewalls.

Bagle.cc modifies %System%\drivers\etc\hosts. After modification, only the following record is left in the file:

127.0.0.1 localhost 

Urgent updates have been released to provide protection against all the new Bagle versions. Users are strongly recommended to download the latest updates.