This trojan dropper appeared on February 28th, 2005. The dropper was spread in email messages, but we are not sure whether they were seeded emails or there was some Bagle variant behind that. At the moment of creation of this description we have not seen any Bagle variant that sends such a dropper in emails, however we are seeing 2 new variants that send our similar droppers.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The dropper is a PE executable file 18432 bytes long. The dropped file is a DLL file 15360 bytes long. Neither dropper, nor DLL are packed.
When the dropper's file is run, it copies itself to Windows System directory as WINSHOST.EXE and drops a DLL file named WIWSHOST.EXE there. This DLL file is then injected into Explorer.exe process.
The dropper/injector creates 2 startup keys for its file in Windows Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "winshost.exe" = "%winsysdir%\winshost.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "winshost.exe" = "%winsysdir%\winshost.exe"
where '%winsysdir%' represents Windows System folder. This is done to run the dropper every time Windows starts.
The WIWSHOST.EXE file is mainly the downloader, but it also affects anti-virus and security software. When it is run, it first of all kills services with the following names:
wuauserv PAVSRV PAVFNSVR PSIMSVC Pavkre PavProt PREVSRV PavPrSrv SharedAccess navapsvc NPFMntor Outpost Firewall SAVScan SBService Symantec Core LC ccEvtMgr SNDSrvc ccPwdSvc ccSetMgr.exe SPBBCSvc KLBLMain avg7alrt avg7updsvc vsmon CAISafe avpcc fsbwsys backweb client - 4476822 backweb client-4476822 fsdfwd F-Secure Gatekeeper Handler Starter FSMA KAVMonitorService navapsvc NProtectService Norton Antivirus Server VexiraAntivirus dvpinit dvpapi schscnt BackWeb Client - 7681197 F-Secure Gatekeeper Handler Starter FSMA AVPCC KAVMonitorService Norman NJeeves NVCScheduler nvcoas Norman ZANDA PASSRV SweepNet SWEEPSRV.SYS NOD32ControlCenter NOD32Service PCCPFW Tmntsrv AvxIni XCOMM ravmon8 SmcService BlackICE PersFW McAfee Firewall OutpostFirewall NWService alerter sharedaccess NISUM NISSERV vsmon nwclnth nwclntg nwclnte nwclntf nwclntd nwclntc wuauserv navapsvc Symantec Core LC SAVScan kavsvc DefWatch Symantec AntiVirus Client NSCTOP Symantec Core LC SAVScan SAVFMSE ccEvtMgr navapsvc ccSetMgr VisNetic AntiVirus Plug-in McShield AlertManger McAfeeFramework AVExch32Service AVUPDService McTaskManager Network Associates Log Service Outbreak Manager MCVSRte mcupdmgr.exe AvgServ AvgCore AvgFsh awhost32 Ahnlab task Scheduler MonSvcNT V3MonNT V3MonSvc FSDFWD
Then the trojan starts a thread that kills keys or values of the following Registry keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client HKLM\SOFTWARE\Symantec HKLM\SOFTWARE\McAfee HKLM\SOFTWARE\KasperskyLab HKLM\SOFTWARE\Agnitum HKLM\SOFTWARE\Panda Software HKLM\SOFTWARE\Zone Labs
After that the worm starts a thread that scans all hard drives and deletes file with the following name:
mysuperprog.exe
Additionally this thread renames files belonging to security and anti-virus software. The following files get renamed:
CCSETMGR.EXE CCEVTMGR.EXE NAVAPSVC.EXE NPFMNTOR.EXE symlcsvc.exe SPBBCSvc.exe SNDSrvc.exe ccApp.exe ccl30.dll ccvrtrst.dll LUALL.EXE AUPDATE.EXE Luupdate.exe LUINSDLL.DLL RuLaunch.exe CMGrdian.exe Mcshield.exe outpost.exe Avconsol.exe Vshwin32.exe VsStat.exe Avsynmgr.exe kavmm.exe Up2Date.exe KAV.exe avgcc.exe avgemc.exe zonealarm.exe zatutor.exe zlavscan.dll zlclient.exe isafe.exe cafix.exe vsvault.dll av.dll vetredir.dll
The files mentioned above are renamed with those names:
C1CSETMGR.EXE CC1EVTMGR.EXE NAV1APSVC.EXE NPFM1NTOR.EXE s1ymlcsvc.exe SP1BBCSvc.exe SND1Srvc.exe ccA1pp.exe cc1l30.dll ccv1rtrst.dll LUAL1L.EXE AUPD1ATE.EXE Luup1date.exe LUI1NSDLL.DLL RuLa1unch.exe CM1Grdian.exe Mcsh1ield.exe outp1ost.exe Avc1onsol.exe Vshw1in32.exe Vs1Stat.exe Av1synmgr.exe kav12mm.exe Up222Date.exe K2A2V.exe avgc3c.exe avg23emc.exe zonealarm.exe zatutor.exe zlavscan.dll zo3nealarm.exe zatu6tor.exe zl5avscan.dll zlcli6ent.exe is5a6fe.exe c6a5fix.exe vs6va5ult.dll a5v.dll ve6tre5dir.dll
So all the affected software keeps working until next system restart. After restart all affected software will stop working because its files were renamed by the trojan.
After this the trojan terminates services with the following names:
SharedAccess wscsvc
The next step that the trojan does is to create a thread that kills processes with the following names:
AVXQUAR.EXE ESCANHNT.EXE UPGRADER.EXE AVXQUAR.EXE AVWUPD32.EXE AVPUPD.EXE CFIAUDIT.EXE UPDATE.EXE NUPGRADE.EXE MCUPDATE.EXE ATUPDATER.EXE AUPDATE.EXE AUTOTRACE.EXE AUTOUPDATE.EXE FIREWALL.EXE ATUPDATER.EXE LUALL.EXE DRWEBUPW.EXE AUTODOWN.EXE NUPGRADE.EXE OUTPOST.EXE ICSSUPPNT.EXE ICSUPP95.EXE ESCANH95.EXE
Finally the trojan tries to download a file from several webservers. The file is placed to Window directory as '_re_file.exe' and is run. The trojan tries to download from the following hardcoded locations:
https://www.amanit.ru/zo2.jpg http://www.anthonyflanagan.com/zo2.jpg http://www.approved1stmortgage.com/zo2.jpg http://www.argument.h12.ru/zo2.jpg http://www.arkebek.de/zo2.jpg http://www.artek.org/zo2.jpg http://www.asianfestival.nl/zo2.jpg http://www.astergut.at/zo2.jpg http://www.aviation-center.de/zo2.jpg http://www.bbsh.org/zo2.jpg http://www.besino.com/zo2.jpg http://www.bestbuy.de/zo2.jpg http://www.beta.mtw.ru/zo2.jpg http://www.bga-gsm.ru/zo2.jpg http://www.blessino.com/zo2.jpg http://www.blueeyeinc.com/zo2.jpg http://www.breaklight.be/zo2.jpg http://www.brzesko.net.pl/zo2.jpg http://www.catsystem.com.kg/zo2.jpg http://www.cdnpartner.com.pl/zo2.jpg http://www.ceskyhosting.cz/zo2.jpg http://www.channeland.com/zo2.jpg http://www.compsolutionstore.com/zo2.jpg http://www.concept.kg/zo2.jpg http://www.corpsite.com/zo2.jpg http://www.couponcapital.net/zo2.jpg http://www.DarrkSydebaby.com/zo2.jpg http://www.dehut-westerhoven.nl/zo2.jpg http://www.dhl.kg/zo2.jpg http://www.dierollendedisco.de/zo2.jpg http://www.discobaradventure.be/zo2.jpg http://www.e-nfo.com/zo2.jpg http://www.e-power.com.cn/zo2.jpg http://www.ecobank.kg/zo2.jpg http://www.elenalazar.com/zo2.jpg http://www.epicbiz.com/zo2.jpg http://www.europa.kg/zo2.jpg http://www.everett.wednet.edu/zo2.jpg http://www.externet.hu/zo2.jpg http://www.forester.kg/zo2.jpg http://www.fotocliparts.de/zo2.jpg http://www.fotonw.org/zo2.jpg http://www.freesites.com.br/zo2.jpg http://www.funbunker.de/zo2.jpg http://www.funworld.tv/zo2.jpg http://www.gameser.com@share.gameser.com/zo2.jpg http://www.gci-bln.de/zo2.jpg http://www.gcnet.ru/zo2.jpg http://www.giantrevenue.com/zo2.jpg http://www.himpsi.org/zo2.jpg http://www.i3dvr.com/zo2.jpg http://www.ibigmart.net/zo2.jpg http://www.idb-group.net/zo2.jpg http://www.illusionoflife.net/zo2.jpg http://www.infocuspromo.com/zo2.jpg http://www.irinaswelt.de/zo2.jpg http://www.jansenboiler.com/zo2.jpg http://www.jasnet.pl/zo2.jpg http://www.jcribeiro.com/zo2.jpg http://www.jewelleryamberproducts.com/zo2.jpg http://www.jimvann.com/zo2.jpg http://www.jldr.ca/zo2.jpg http://www.jordanramey.net/zo2.jpg http://www.joy-musik-sound.de/zo2.jpg http://www.justrepublicans.com/zo2.jpg http://www.katel.kg/zo2.jpg http://www.knicks.nl/zo2.jpg http://www.koebers.pl/zo2.jpg http://www.kogaionon.com/zo2.jpg http://www.kplus.kg/zo2.jpg http://www.kradtraining.de/zo2.jpg http://www.kranenberg.de/zo2.jpg http://www.kranenberg.de:113547@/zo2.jpg http://www.kstrus.com.pl/zo2.jpg http://www.ktsonline.de/zo2.jpg http://www.lahelaino.com/zo2.jpg http://www.lawform.com.au/zo2.jpg http://www.leetexgroup.com/zo2.jpg http://www.leshrak.de/zo2.jpg http://www.leshrak.de:prophets@/zo2.jpg http://www.logoseiten.de/zo2.jpg http://www.magicbottle.com.tw/zo2.jpg http://www.mcuserver.cz/zo2.jpg http://www.mega-spass.com/zo2.jpg http://www.mega.kg/zo2.jpg http://www.mepbisu.de/zo2.jpg http://www.mepmh.de/zo2.jpg http://www.mtfdesign.com/zo2.jpg http://www.mtransit.kg/zo2.jpg http://www.neotech.kg/zo2.jpg http://www.nikonfotoshare.com/zo2.jpg http://www.novosti.kg/zo2.jpg http://www.ok.kg/zo2.jpg http://www.onepositiveplace.org/zo2.jpg http://www.online.kg/zo2.jpg http://www.orangesuburban.5u.com/zo2.jpg http://www.otv.ch/zo2.jpg http://www.pageantpage.com/zo2.jpg http://www.pankration.com/zo2.jpg http://www.para-agility.com/zo2.jpg http://www.pdxracing.net/zo2.jpg http://www.pfadfinder-leobersdorf.com/zo2.jpg http://www.pipni.cz/zo2.jpg http://www.pjwstk.edu.pl/zo2.jpg http://www.polizeimotorrad.de/zo2.jpg http://www.proway-consulting.com/zo2.jpg http://www.pugetsoundyc.org/zo2.jpg http://www.pyrlandia-boogie.pl/zo2.jpg http://www.qphoto.co.za/zo2.jpg http://www.raecoinc.com/zo2.jpg http://www.realgps.com/zo2.jpg http://www.realty.kg/zo2.jpg http://www.redlightpictures.com/zo2.jpg http://www.reliance-yachts.com/zo2.jpg http://www.relocationflorida.com/zo2.jpg http://www.rentalstation.com/zo2.jpg http://www.rieraquadros.com.br/zo2.jpg http://www.roaming.kg/zo2.jpg http://www.sacohalle.be/zo2.jpg http://www.scanex-medical.fi/zo2.jpg http://www.scoping4success.com/zo2.jpg http://www.sert.ru/zo2.jpg http://www.sigi.lu/zo2.jpg http://www.spadochron.pl/zo2.jpg http://www.ssc.kg/zo2.jpg http://www.ssmifc.ca/zo2.jpg http://www.stadtmeyers.de/zo2.jpg http://www.stadtmeyers.de:R2D2c3po@/zo2.jpg http://www.sterlingirb.com/zo2.jpg http://www.sunassetholdings.com/zo2.jpg http://www.szantomierz.art.pl/zo2.jpg http://www.szosa.pl/zo2.jpg http://www.tambourenvereine.ch/zo2.jpg http://www.tarnow.opoka.org.pl/zo2.jpg http://www.tc-muraene.com/zo2.jpg http://www.tc-muraene.com:hunter@/zo2.jpg http://www.theroyalregistry.com/zo2.jpg http://www.transportation.gov.bh/zo2.jpg http://www.tumar.kg/zo2.jpg http://www.tunguska.hu/zo2.jpg http://www.turkeyhomes.com/zo2.jpg http://www.turkeyhomes.com@/zo2.jpg http://www.ulpiano.org/zo2.jpg http://www.unicity.pl/zo2.jpg http://www.vbw.info/zo2.jpg http://www.velezcourtesymanagement.com/zo2.jpg http://www.vorrix.com/zo2.jpg http://www.webpark.pl/zo2.jpg http://www.wecompete.com/zo2.jpg http://www.wp.pl/zo2.jpg http://www.wwwebad.com/zo2.jpg http://www.xpager321.wz.cz/zo2.jpg http://www.yamdiamonds.com/zo2.jpg http://www.zander-yachting.com/zo2.jpg
We are monitoring these locations in order to catch malware that the trojan's author is going to put there.