W32/Mitglieder.FE

Alias/esEmail-Worm.Win32.Bagle.cy [KAV], Troj/Bagle.CU [Antivir], Troj/BagleDL-U [Sophos], TROJ_BAGLE.DA [Trend], Trojan.Tooso.O [NAV], W32/Bagle.CJ-mm, W32/Bagle.CJ@mm [BitDefender], W32/Mitglieder.FE [F-Prot], Worm.Bagle.BS [ClamAV]
Release DateSep 19, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.202
Description

Visible Symptoms

  • Unexpected firewall, Antivirus or various other security related applications terminate after opening an attachment of an email

Detailed Analysis

This variant of Bagle was spammed to numerous email recipients on September 19, 2005. It may have arrived as an attachment to an email message either as an .EXE file or .ZIP file. The Trojan (if run) will write a copy of itself to the system and also extract a .DLL component. The .DLL component code is injected into the Windows shell (EXPLORER.EXE) in order to make its code stealthy.

This threat is coded to attempt to retrieve a binary file from one of a number of hard-coded web sites. At the time of this writing, the file retrieve process failed due to the file not being present on the servers, or the servers were unreachable.

Load at Windows Startup
If this Trojan is run, it will copy itself to the System32 folder, along with a .DLL component (wiwshost.exe) -

c:\WINNT\system32\winshost.exe [35,841 bytes]
c:\WINNT\system32\wiwshost.exe [7,794 bytes]

This Trojan modifies the registry to auto load the Trojan at each Windows logon or startup -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"winshost.exe" = C:\WINNT\System32\winshost.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"winshost.exe" = C:\WINNT\System32\winshost.exe

This Trojan creates an additional registry key data entry -

HKEY_CURRENT_USER\Software\FirstRun
"FirstRunRR" = 01

This could be an internal counter for use by the Trojan to know if it has run once only or has executed more than once.

Security application termination
In addition to terminating Antivirus, firewall and debugging applications, the Trojan may delete registry keys responsible for loading the same programs. For example, the key listed below is related to Zone Alarm [a firewall application] and was deleted by the Trojan in testing -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Zone Labs Client" = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

File modifications
This Trojan modifies the "hosts" DNS name resolution config file, simply reducing its content to a single line -

127.0.0.1 localhost

File download routine
This Trojan attempts to retrieve a file OSA6.GIF from hard-coded web sites stored in the Trojan body. At the time of this writing, the file retrieve process failed due to the file not being present on the servers, or the servers were unreachable.

Process injection
When this Trojan is executed, it will inject its code into the Windows shell EXPLORER.EXE in order to stealth its presence. Also, by running in the same process space as Explorer, it is much more difficult to isolate and terminate using conventional process utilities.

Reference: ID - 323285