Virus: I-Worm/Bagle
Saturday, December 10th, 2005I’ve decided to start (b)logging some of the PC problems that I fix, especially the viruses and trojans and suchlike.
A client’s WindowsXP PC was brought in to me yesterday because it was behaving oddly—amongst other things I noted that:
- The firewall wasn’t running (neither XP’s own firewall nor ZoneAlarm)—ZoneAlarm wouldn’t run even when started manually, it seemed broken or disabled
- The anti-virus software wasn’t running (AVG)—again, this wouldn’t run properly even when started manually
- I was unable to bring up Task Manager using the taskbar’s right-click menu
- Hitting ctrl-alt-del merely brought up an hourglass pointer for a brief moment
- The system was regularly showing a dialog saying ‘Connect to av2026.comex.ru’ and requesting a user password
Using a bit of software by Sysinternals called Autoruns I stopped the system from executing files ‘C:\WINDOWS\system32\anti_troj.exe’ and ‘C:\WINDOWS\system32\antiav_exe.exe’ on boot. This then allowed me to successfully re-install the broken software (AVG and ZoneAlarm) and get the system running ok again.
After re-installing AVG and updating its definition files, I scanned the system and found ‘Virus: I-Worm/Bagle’ and successfully cleaned it up. The system seemed to have no other viruses or spyware on it.
I believe the users of this PC surf exclusively with Firefox, so my theory is that the virus came as an email attachment, or it was possibly transmitted via instant messaging.
