bagle removal solution

OS: XP 32

I had all the problems associated with the srosa2 variant of this worm.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sk9ou0s (Worm.Bagel)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sk9ou0s (Worm.Bagel)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk9ou0s (Worm.Bagel)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mule_st_key (Trojan.Agent)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1)

Folders Infected:
C:\Documents and Settings\oli\Application Data\m (Trojan.Agent)

Files Infected:
C:\Documents and Settings\oli\Application Data\drivers\srosa2.sys (Worm.Bagel)
C:\Documents and Settings\oli\Application Data\m\data.oct (Trojan.Agent)
C:\Documents and Settings\oli\Application Data\m\list.oct (Trojan.Agent)
C:\Documents and Settings\oli\Application Data\m\srvlist.oct (Trojan.Agent)
C:\WINDOWS\system32\mdelk.exe (Trojan.Spammer)
C:\WINDOWS\system32\wintems.exe (Trojan.Spammer)
C:\Documents and Settings\oli\Application Data\m\flec006.exe (Trojan.Agent)

To sort it out i disabled my system restore and recycle bin. then manually deleted the reg keys and contents of the C:\Documents and Settings\oli\Application Data\m folder. I could not delete the actual folder as it was 'not empty'. Using CMD i navigated to the folder and listed its contents which were 2 folders by the names of . and .. both completely undeletable. I also deleted srosa2.sys and thanks to forum help discovered a device in Non Plug & Play section of device manager called sk9Ou0s which i stopped and uninstalled.

The real trick to this was that i was able to then reboot into a Vista 64 install on the same machine and run a fully up-to-date in depth full on avast system scan which picked up a load of the files that can't actually be seen in the relevant folders and deleted them. another virus that was found was a 'zipper' in my hiberfil.sys (not sure if this is related to the bagle worm).

Another thing that i noticed was that when in vista i could not access the folder C:\Documents and Settings\oli\Application Data\ as the permissions would not allow me. I edited the security settings of this folder so i gained complete control as my vista profile and i could then manually delete the 'm' folder contained within. Doing this also allowed the AV software to discover tens of other bagle infected .exe's in that folder. When i rebooted back into XP i had to change the permissions of the application data folder back to my xp profile to gain access again.

Admittedly this would only work on a dual boot system but to some sufferers of the bagle worm this may be a more useful solution than having to do a full reinstall.

At the mo i am running every malware and av prog worth its salt to make sure the infection is properly gone. many a rescan and reboot to go.

 

the thing about certain folders having invisible folders is new to me. what i thought was interesting was the folder permissions that were set. this must be a major security flaw with windows that a third party could infiltrate that level of the os. the bagle is a well developed virus; i just hope windows can keep up. on the other hand i may be switching to a linux os very soon. just glad i managed to sort it out in me own humble way.