SOURCE: wwwDOTmalwarecityDOTc0m/blog/removal-win32wormbagle-124.html
Removal Win32.Worm.Bagle
Date: 07/17/2008
Author: Andrei Bereczki
The Bagle worm is a piece of malware that spreads by itself over email, disk drives and network shares. It has rootkit capabilities that enable it to hide from the user. It disables the windows firewall and several antivirus products. It also drops a hosts file which disables access to certain anti-virus websites. Anti-virus software might be unable to perform any definition updates because of this.
In order to remove Win32.
Worm.Bagle we first have to know that we are infected with it.
- Go to Start->Run and type cmd.exe
- Browse to %windir%system32drivers by typing “cd %windir%system32drivers”
- Type “dir srosa*” and “dir *.exe”. If you have some of the following files displayed you have a bagle infection:
srosa.sys (Bagle rootkit, almost in all versions)
pci32.sys (old versions)
hldrrr.exe or
hidr.exe
mdelk.exe
- You may also check “sc query srosa” and “sc query pci32” but this may or may not return results.
Now if you successfully identified a Win32.Worm.Bagle infection it's time for neutralization and removal. Please follow these steps:
- Type “copy null.sys srosa.sys” (replace srosa.sys with pci32.sys if you have the older version) in your command prompt.
Note: it's supposed that you are still in %windir%system32drivers
Explanation: we are replacing srosa.sys with the dummy null driver that does nothing, so this is what will be loaded on system startup uppon reboot
- type “attrib +r +h srosa.sys” in your command prompt
Explanation: the
Trojan component of bagle will try to rewrite srosa.sys on every system
boot. If it's hidden and read only it will not be able to do so (in these version so far).
- Reboot
- Open a command shell again (see step 1 from the detection process)
- Go to %windir%system32drivers (see step 2 from the detection process)
- Unhide the hidden srosa file: “attrib -h srosa.sys”
- Delete the files you detected earlier by typing: “del /f filename”. For example: “del /f srosa.sys”, “del /f hldrrr.exe”, “del /f mdelk.exe” etc.
- Delete the registry keys it created by typing:
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "drvsyskit" /F
reg delete "HKLM\SYSTEM\CurrentControl\SetServices\srosa" /F
9. Start regedit (Start -> Run then type: regedit.exe)
Browse to the following registry key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA and right click it.
Select Permissions, select Everyone then check Allow "Full-Control".
After this delete the key
At this point your system should be clean of the Bagle infection. If any of the steps above fails, please send us a copy of the file at
virus-submission(AT)bitdefender.com in order to assist you with a specific removal guide.
Additional notes: this guide is intended for any type of user as long as they follow the exact steps described above. Any damage done to your system as a result of following this guide is your responsibility. Malwarecity.com cannot guarantee a successful removal for any
threat version described above.
or better yet, call some techie friends or technicians. Then pay them, it's worth your data