W32/Bagle.dv.dr

Bagle.dv.dr is a trojan dropper which drops W32/Bagle.dv.dldr and W32/Bagle.gen@MM.

Upon execution, it displays a fake dialog box prompting the user to select a file to crack. 

Irrespective of whatever file the user selects, the following message box is displayed.

Drops the following files:

%TEMP%\random filename.tmp.exe (detected as W32/Bagle.gen@MM)
%Windir%\%SYSDIR%\anti_troj.exe (detected as W32/Bagle.dv.dldr)
%Windir%\%SYSDIR%\winlog.exe (detected as W32/Bagle.gen@MM)
%Windir%\%SYSDIR%\winlog.dll (detected as W32/Bagle.gen@MM)

Creates the following registry entires to autostart the trojan when Windows starts.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

"anti_troj"="%Windir%\%SYSDIR%\anti_troj.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

"key2 "="%Windir%\%SYSDIR%\winlog.exe"

Adds the following registry key as a flag that indicates the system is infected.

HKEY_CURRENT_USER\Software\FirstRRRun
?Firstun? = ?01?

Prevents popular security programs from launching. The following is a brief list of programs that get disabled.

ashAvast.exe
ashDisp.exe
ashEnhcd.exe
ashPopWz.exe
ashSimpl.exe
ashSkPck.exe
ashWebSv.exe
AUPDATE.EXE
Avconsol.exe
avgcc.exe
avgemc.exe
AVGNT.EXE
AVSCHED32.EXE
Avsynmgr.exe
AVWUPD32.EXE
bdmcon.exe
bdnews.exe
bdsubmit.exe
bdswitch.exe
cafix.exe
ccApp.exe
CCEVTMGR.EXE
CCSETMGR.EXE
ccvrtrst.dll
ChangeServiceConfigA
ClamTray.exe
ClamWin.exe
CloseServiceHandle
CMGrdian.exe
ControlService
drwadins.exe
drweb32w.exe
drwebscd.exe
drwebupw.exe
FFJMPWEB.DLL
freshclam.exe
GUARDEVT.DLL
GUARDGUI.EXE
GUARDMSG.DLL
GuardNT.exe
IksysT32.dll
INETUPD.EXE
InocIT.exe
InoOEM.dll
InoOption.dll
InoUpTNG.exe
isafe.exe
KAV.exe
kavmm.exe
KAVPF.exe
LUALL.EXE
LUINSDLL.DLL
Luupdate.exe
Mcshield.exe
NAVAPSVC.EXE
nod32.exe
nod32api.dll
nod32kui.exe
NPFMNTOR.EXE
npfmsg.exe
Nvccf0D.dll
Nvcevlog.dll
Nvcod.exe
Nvcte.exe
Nvcut.exe
OCONNDLG.DLL
OCOOKDLG.DLL
OpenSCManagerA
OpenServiceA
outpost.exe
pccguide.exe
PcCtlCom.exe
python23.dll
QHPF.EXE
Realmon.exe
RuLaunch.exe
schface.dll
SNDSrvc.exe
SPBBCSvc.exe
spiderml.exe
symlcsvc.exe
T2w32.dll
taskmgr.exe
Tmntsrv.exe
TmPfw.exe
tmproxy.exe
Up2Date.exe
upgrepl.exe
Vba32ECM.exe
Vba32ifs.exe
vba32ldr.exe
Vba32PP3.exe
vbaifps.dll
vetredir.dll
Vshwin32.exe
VsStat.exe
zatutor.exe
zlclient.exe
zonealarm.exe

Prevents the user from visiting certain security related websites.
The following is a brief list of sites that are blocked by the trojan.

avp.com
avp.ru
ca.com
clamav.net
clamwin.com
downloads-us1.kaspersky-labs.com
downloads.avira.com
downloads.microsoft.com
downloads1.kaspersky-labs.com
drweb.com
drweb.ru
engine.awaps.net
esetsoftware.com
f-secure.com
ftp.sophos.com
go.microsoft.com
grisoft.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
securityresponse.symantec.com
us.mcafee.com
vil.nai.com
viruslist.com
viruslist.ru
windowsupdate.microsoft.com
www.anti-virus.by
www.antivir.de
www.avast.com
www.avira.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.bitdefender.com
www.bitdefender.ru
www.ca.com
www.clamav.net
www.clamwin.com
www.drweb.com
www.f-secure.com
www.fastclick.net
www.grisoft.com
www.hacksoft.com.pe
www.hbedv.com
www.kaspersky-labs.com
www.kaspersky.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.open.by
www.pandasoftware.com
www.ravantivirus.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.vba32.de
www.viruslist.com
www.viruslist.ru
www2.eset.com
www3.ca.com
zak.avira.com

Bagle.dv.dr was mass spammed on February 15th, 2006.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.