TrojanDownloader:Win32/Bagle.ABQ is a trojan that terminates security applications, installs Trojan:WinNT/Bagle.A and downloads
Worm:Win32/Bagle.gen!C.
Installation
TrojanDownloader:Win32/Bagle.ABQ may be installed by other malware. When run, it drops the following components:
%USERPROFILE%\Application Data\drivers\srosa2.sys - Trojan:WinNT/Bagle.A
%USERPROFILE%\Application Data\drivers\<random 6 numbers>.exe - TrojanDownloader:Win32/Bagle.ABQ
%USERPROFILE%\Application Data\drivers\winupgro.exe - TrojanDownloader:Win32/Bagle.ABQ
The registry may be modified to execute TrojanDownloader:Win32/Bagle.ABQ at each Windows start.
Adds value: "drvsyskit"
With data: "%USERPROFILE%\application data\drivers\winupgro.exe"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TrojanDownloader:Win32/Bagle.ABQ creates two services named "sK9Ou0s" and "srosa" to execute the droped driver component WinNT/Bagle.A.
Payload
Terminates security applications
TrojanDownloader:Win32/Bagle.ABQ terminates many security-related applications such as Kaspersky, Symantec, Bitdefender and F-secure. The trojan uses an internal list to reference running processes and if a matching process is found in the list, the related process is terminated. The following is a partial list of processes targeted by the trojan:
AVP.EXE
AVP32.EXE
avpcc.exe
avpm.exe
avpmapp.exe
AVPUPD.EXE
avscan.exe
AVSCHED32.EXE
avserver.exe
avsynmgr.exe
avwebgrd.exe
AVWUPD32.EXE
AVWUPSRV.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE
avz.exe
bdagent.exe
bdmcon.exe
bdnews.exe
bdoesrv.exe
bdss.exe
bdsubmit.exe
bdsubmitwiz.exe
BDSurvey.exe
bdswitch.exe
bdwizreg.exe
blackd.exe
blackice.exe
blindman.exe
BTIni.exe
… and so on.
Uses stealth
TrojanDownloader:Win32/Bagle.ABQ executes the driver component Trojan:WinNT/Bagle.A to hide its presence. The trojan component provides advanced stealth functionality and anti-removal measures.
Downloads Worm:Win32/Bagle.gen!C
TrojanDownloader:Win32/Bagle.ABQ attempts to download
Worm:Win32/Bagle.gen!C from a predefined Web page. The page redirects to another site as "
<domain>/1/b64.jpg". The retrieved file is then executed.
Analysis by Tim Liu
