TrojanDownloader:Win32/Bagle.EH is a member of
Win32/Bagle - a multicomponent family of worms that may spread via email and peer to peer file sharing networks.
Win32/Bagle may also contain backdoor functionality that allows unauthorized access to an affected computer, and may download and execute arbitrary files.
Installation
When executed, TrojanDownloader:Win32/Bagle.EH copies itself to c:\documents and settings\administrator\application data\drivers\winupgro.exe.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "drvsyskit"
With data: "c:\documents and settings\administrator\application data\drivers\winupgro.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run
The malware creates the following files on an affected computer:
Payload
Terminates processes
TrojanDownloader:Win32/Bagle.EH terminates a list of specified processes, including those related to particular security applications, should they be running on an affected computer. TrojanDownloader:Win32/Bagle.EH attempts to terminate the following processes (for example):
- _avpm.exe
- antivirus.exe
- AUPDATE.EXE
- AVGW.EXE
- avp.exe
- avp32.exe
- avpcc.exe
- blackice.exe
- egui.exe
- ekrn.exe
- fsav.exe
- InoRT.exe
- kav.exe
- Kavstart.exe
- msmpeng.exe
- msmpsvc.exe
- NAVW32.exe
- NOD32.EXE
- PandaAVEngine.exe
- PERSFW.EXE
Note: This list of processes was compiled after observing this behavior in our analysis systems. This list should serve as an example of this behavior only as it may not prove exhaustive on every affected system.
Modifies system security settings
The malware disables the LUA (Least Privileged User Account), also known as the “administrator in Admin Approval Mode” user type, by making the following registry modification:
Adds value:
"EnableLUA" With data:
"0" To subkey:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Note: Disabling the LUA allows all applications to run by default with all administrative privileges, without the user being prompted for explicit consent.
Contacts remote host
The malware may contact a remote host at google.com using port 80. Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 53cd0d0be9c918bec2a271e16c20bf7bd7f0c072.
