%System%\mloader32.dll (size: 16,384 bytes)

It makes the following modifications to the registry to install "mloader32.dll" as a Winlogon Notification Package:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mloader32\Asynchronous = 0x0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mloader32\DllName = "mloader32.dll"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mloader32\Impersonate = 0x0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mloader32\Startup = "Startup"

Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

Modifies Network Behavior

Win32.Fantibag.U contains a list of over 150 antivirus-related domain names, presumably in order to stop users from visiting websites or downloading scanner updates from these domains. The trojan accomplishes this by creating both input and output filters to drop all packets between the user's machine and any of the filtered IP addresses.

For each of the specified domain names, a DNS lookup is performed. Win32.Fantibag then creates filters for each IP address within the same class C (255.255.255.0) network. Antivirus companies targeted include Computer Associates, McAfee, Sophos, Kaspersky, F-Secure, Trend etc.

Terminates Processes

The DLL component ("winlog.dll") attempts to kills the following processes (associated with antivirus and other security-related applications):

_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AckWin32.exe
ALERTSVC.EXE
ALOGSERV.EXE
Anti-Trojan.exe
ANTS.EXE
APVXDWIN.EXE
ashAvast.exe
ashDisp.exe
ashEnhcd.exe
ashMaiSv.exe
ashPopWz.exe
ashServ.exe
ashSimpl.exe
ashSkPck.exe
ashWebSv.exe
aswUpdSv.exe
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
Avconsol.exe
AVENGINE.EXE
avgcc.exe
AVGCC32.EXE
AVGCTRL.EXE
avgemc.exe
AVGNT.EXE
AVGSERV.EXE
AVGUARD.EXE
AvkServ.exe
AVP.EXE
AVP32.EXE
avpcc.exe
avpm.exe
AVPUPD.EXE
AVSCHED32.EXE
avsynmgr.exe
AVWUPD32.EXE
AVWUPSRV.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE
BackWeb-4476822.exe
bdmcon.exe
bdnews.exe
bdsubmit.exe
bdswitch.exe
blackd.exe
blackice.exe
cafix.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccSetMgr.exe
CFIAUDIT.EXE
ClamTray.exe
ClamWin.exe
Claw95.exe
Claw95cf.exe
cleaner.exe
cleaner3.exe
CliSvc.exe
CMGrdian.exe
cpd.exe
DefWatch.exe
DOORS.EXE
DrVirus.exe
drwadins.exe
drweb32w.exe
drwebscd.exe
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
F-AGNT95.EXE
F-PROT95.EXE
F-StopW.EXE
FAMEH32.EXE
FAST.EXE
FCH32.EXE
FIREWALL.EXE
fpavupdm.exe
freshclam.exe
FRW.EXE
fsav32.exe
fsavgui.exe
fsbwsys.exe
fsdfwd.exe
FSGK32.EXE
fsgk32st.exe
fsguiexe.exe
FSM32.EXE
FSMA32.EXE
FSMB32.EXE
fspex.exe
fssm32.exe
gcasDtServ.exe
gcasServ.exe
GUARD.EXE
GUARDGUI.EXE
GuardNT.exe
iamapp.exe
iamserv.exe
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
INETUPD.EXE
InocIT.exe
InoRpc.exe
InoRT.exe
InoTask.exe
InoUpTNG.exe
IOMON98.EXE
isafe.exe
ISRV95.EXE
ISSVC.exe
JEDI.EXE
KAV.exe
kavmm.exe
KAVPF.exe
LOCKDOWN2000.EXE
LogWatNT.exe
LUALL.EXE
LUCOMSERVER.EXE
Luupdate.exe
MCAGENT.EXE
Mcshield.exe
MCUPDATE.EXE
MINILOG.EXE
MONITOR.EXE
MonSysNT.exe
MOOLIVE.EXE
navapsvc.exe
NAVAPW32.EXE
NavLu32.exe
NAVW32.EXE
NDD32.EXE
NeoWatchLog.exe
NeoWatchTray.exe
NISSERV
NISUM.EXE
NMAIN.EXE
nod32.exe
nod32kui.exe
NORMIST.EXE
notstart.exe
NPFMNTOR.EXE
npfmsg.exe
NPROTECT.EXE
NSCHED32.EXE
NTXconfig.exe
NUPGRADE.EXE
NVC95.EXE
Nvcod.exe
Nvcte.exe
Nvcut.exe
NWService.exe
OUTPOST.EXE
PAV.EXE
PavFires.exe
pavProxy.exe
pavsrv51.exe
PAVSS.EXE
pccguide.exe
PCCIOMON.EXE
PcCtlCom.exe
PERSFW.EXE
pertsk.exe
PERVAC.EXE
POP3TRAP.EXE
POPROXY.EXE
QHPF.EXE
Realmon.exe
REALMON95.EXE
Rescue.exe
Rtvscan.exe
RTVSCN95.EXE
RuLaunch.exe
SAVScan.exe
SERVIC~1.EXE
SiteCli.exe
smc.exe
SNDSrvc.exe
SPBBCSvc.exe
SPHINX.EXE
spiderml.exe
Spiderui.exe
SpybotSD.exe
SPYXX.EXE
SS3EDIT.EXE
SWNETSUP.EXE
symlcsvc.exe
SymProxySvc.exe
SymSPort.exe
SymWSC.exe
SYNMGR.EXE
TAUMON.EXE
TC.EXE
tca.exe
TCM.EXE
TDS-3.EXE
TeaTimer.exe
TFAK.EXE
Tmas.exe
Tmntsrv.exe
TmPfw.exe
tmproxy.exe
TNBUtil.exe
TRJSCAN.EXE
Up2Date.exe
UPDATE.EXE
upgrepl.exe
Vba32ECM.exe
Vba32ifs.exe
vba32ldr.exe
Vba32PP3.exe
vcrmon.exe
VetTray.exe
VPTRAY.EXE
vrfwsvc.exe
VRMONNT.EXE
vrmonsvc.exe
VSECOMR.EXE
Vshwin32.exe
vsmon.exe
VsStat.exe
WATCHDOG.EXE
Webscanx.exe
WEBTRAP.EXE
WGFE95.EXE
Winaw32.exe
WRADMIN.EXE
WRCTRL.EXE
zatutor.exe
ZAUINST.EXE
zlclient.exe
zonealarm.exe

Stops and Disables Services

Win32.Fantibag.U attempts to stop, then disable the following services:

Ahnlab task Scheduler
alerter
AlertManger
AntiVir Service
aswUpdSv
Ati HotKey Poller
avast! Antivirus
AVEService
AVExch32Service
avg7alrt
avg7updsvc
AvgCore
AvgFsh
AvgServ
AVIRAMailService
AVIRAService
avpcc
AVUPDService
AVWUpSrv
AvxIni
awhost32
backweb client - 4476822
BackWeb Client - 7681197
backweb client-4476822
bdss
BlackICE
CAISafe
ccEvtMgr
ccPwdSvc
ccSetMgr
ccSetMgr.exe
DefWatch
dvpapi
dvpinit
F-Secure Gatekeeper Handler Starter
fsbwsys
fsdfwd
FSMA
Guard NT
InoRpc
InoRT
InoTask
KAVMonitorService
kavsvc
KLBLMain
McAfee Firewall
McAfeeFramework
McShield
McTaskManager
mcupdmgr.exe
MCVSRte
MonSvcNT
navapsvc
Network Associates Log Service
nipsvc
NISSERV
NISUM
NOD32ControlCenter
NOD32Service
Norman NJeeves
Norman Type-R
Norman ZANDA
Norton Antivirus Server
NPFMntor
NProtectService
NSCTOP
nvcoas
NVCScheduler
nwclntc
nwclntd
nwclnte
nwclntf
nwclntg
nwclnth
NWService
Outbreak Manager
Outpost Firewall
OutpostFirewall
PASSRV
PAVFNSVR
Pavkre
PavProt
PavPrSrv
PAVSRV
PCCPFW
PersFW
PREVSRV
PSIMSVC
ravmon8
SAVFMSE
SAVScan
SBService
schscnt
SharedAccess
SmcService
SNDSrvc
SPBBCSvc
SpiderNT
SweepNet
SWEEPSRV.SYS
Symantec AntiVirus Client
Symantec Core LC
Tmntsrv
V3MonNT
V3MonSvc
Vba32ECM
Vba32ifs
Vba32Ldr
Vba32PP3
VexiraAntivirus
VisNetic AntiVirus Plug-in
vsmon
vsserv
wuauserv
xcomm

Modifies System Settings/Lowers Security Settings

Fantibag.U attempts to delete the following registry values if they exist:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee.InstantUpdate.Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\APVXDWIN
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAV50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee Guardian
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_cc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_emc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccApp

as well as the following registry keys:

HKLM\SOFTWARE\Agnitum
HKLM\SOFTWARE\KasperskyLab
HKLM\SOFTWARE\McAfee
HKLM\SOFTWARE\Panda Software
HKLM\SOFTWARE\Symantec
HKLM\SOFTWARE\Zone Labs
HKLM\SOFTWARE\Trend Micro

Fantibag.U searches fixed drives for the following files and attempts to delete them. If the file cannot be deleted it then tries to rename them. The new file name is listed in the corresponding right hand column for each entry of the following list: