Email-Worm:W32/Bagle.HR

[Humpty]

Seems a particularly nasty one.

Wonder why "Giant Antispyware" is included in the list.

Didn't MS do the usual with this once great AS, take it over and stuff it up?

 

F-Secure article

Email-Worm:W32/Bagle.HR is a trojan-downloader with rootkit technology.

The rootkit driver terminates and deletes the following files that are related to antivirus software:

 

* _AVP32.EXE

* _AVPCC.EXE

* _AVPM.EXE

* a2guard.exe

* aavshield.exe

* AckWin32.exe

* ADVCHK.EXE

* AhnSD.exe

* airdefense.exe

* ALERTSVC.EXE

* ALMon.exe

* ALOGSERV.EXE

* ALsvc.exe

* amon.exe

* Anti-Trojan.exe

* AntiVirScheduler

* AntiVirService

* ANTS.EXE

* APVXDWIN.EXE

* Armor2net.exe

* ashAvast.exe

* ashDisp.exe

* ashEnhcd.exe

* ashMaiSv.exe

* ashPopWz.exe

* ashServ.exe

* ashSimpl.exe

* ashSkPck.exe

* ashWebSv.exe

* aswUpdSv.exe

* ATCON.EXE

* ATUPDATER.EXE

* ATWATCH.EXE

* AUPDATE.EXE

* AUTODOWN.EXE

* AUTOTRACE.EXE

* AUTOUPDATE.EXE

* avciman.exe

* Avconsol.exe

* AVENGINE.EXE

* avgamsvr.exe

* avgcc.exe

* AVGCC32.EXE

* AVGCTRL.EXE

* avgemc.exe

* avgfwsrv.exe

* AVGNT.EXE

* avgntdd

* avgntmgr

* AVGSERV.EXE

* AVGUARD.EXE

* avgupsvc.exe

* avinitnt.exe

* AvkServ.exe

* AVKService.exe

* AVKWCtl.exe

* AVP.EXE

* AVP32.EXE

* avpcc.exe

* avpm.exe

* AVPUPD.EXE

* AVSCHED32.EXE

* avsynmgr.exe

* AVWUPD32.EXE

* AVWUPSRV.EXE

* AVXMONITOR9X.EXE

* AVXMONITORNT.EXE

* AVXQUAR.EXE

* BackWeb-4476822.exe

* bdmcon.exe

* bdnews.exe

* bdoesrv.exe

* bdss.exe

* bdsubmit.exe

* bdswitch.exe

* blackd.exe

* blackice.exe

* cafix.exe

* ccApp.exe

* ccEvtMgr.exe

* ccProxy.exe

* ccSetMgr.exe

* CFIAUDIT.EXE

* ClamTray.exe

* ClamWin.exe

* Claw95.exe

* Claw95cf.exe

* cleaner.exe

* cleaner3.exe

* CliSvc.exe

* CMGrdian.exe

* cpd.exe

* DefWatch.exe

* DOORS.EXE

* DrVirus.exe

* drwadins.exe

* drweb32w.exe

* drwebscd.exe

* DRWEBUPW.EXE

* ESCANH95.EXE

* ESCANHNT.EXE

* ewidoctrl.exe

* EzAntivirusRegistrationCheck.exe

* F-AGNT95.EXE

* F-PROT95.EXE

* F-Sched.exe

* F-StopW.EXE

* FAMEH32.EXE

* FAST.EXE

* FCH32.EXE

* FireSvc.exe

* FireTray.exe

* FIREWALL.EXE

* fpavupdm.exe

* freshclam.exe

* FRW.EXE

* fsav32.exe

* fsavgui.exe

* fsbwsys.exe

* fsdfwd.exe

* FSGK32.EXE

* fsgk32st.exe

* fsguiexe.exe

* FSM32.EXE

* FSMA32.EXE

* FSMB32.EXE

* fspex.exe

* fssm32.exe

* gcasDtServ.exe

* gcasServ.exe

* GIANTAntiSpywareMain.exe

* GIANTAntiSpywareUpdater.exe

* GUARD.EXE

* GUARDGUI.EXE

* GuardNT.exe

* HRegMon.exe

* Hrres.exe

* HSockPE.exe

* HUpdate.EXE

* iamapp.exe

* iamserv.exe

* ICLOAD95.EXE

* ICLOADNT.EXE

* ICMON.EXE

* ICSSUPPNT.EXE

* ICSUPP95.EXE

* ICSUPPNT.EXE

* IFACE.EXE

* INETUPD.EXE

* InocIT.exe

* InoRpc.exe

* InoRT.exe

* InoTask.exe

* InoUpTNG.exe

* IOMON98.EXE

* isafe.exe

* ISATRAY.EXE

* ISRV95.EXE

* ISSVC.exe

* JEDI.EXE

* KAV.exe

* kavmm.exe

* KAVPF.exe

* KavPFW.exe

* KAVStart.exe

* KAVSvc.exe

* KAVSvcUI.EXE

* KMailMon.EXE

* KPfwSvc.EXE

* KWatch.EXE

* livesrv.exe

* LOCKDOWN2000.EXE

* LogWatNT.exe

* lpfw.exe

* LUALL.EXE

* LUCOMSERVER.EXE

* Luupdate.exe

* MCAGENT.EXE

* mcmnhdlr.exe

* mcregwiz.exe

* Mcshield.exe

* MCUPDATE.EXE

* mcvsshld.exe

* MINILOG.EXE

* MONITOR.EXE

* MonSysNT.exe

* MOOLIVE.EXE

* MpEng.exe

* mpssvc.exe

* MSMPSVC.exe

* myAgtSvc.exe

* myagttry.exe

* navapsvc.exe

* NAVAPW32.EXE

* NavLu32.exe

* NAVW32.EXE

* NDD32.EXE

* NeoWatchLog.exe

* NeoWatchTray.exe

* NISSERV

* NISUM.EXE

* NMAIN.EXE

* nod32.exe

* nod32krn.exe

* nod32kui.exe

* NORMIST.EXE

* notstart.exe

* npavtray.exe

* NPFMNTOR.EXE

* npfmsg.exe

* NPROTECT.EXE

* NSCHED32.EXE

* NSMdtr.exe

* NssServ.exe

* NssTray.exe

* ntrtscan.exe

* NTXconfig.exe

* NUPGRADE.EXE

* NVC95.EXE

* Nvcod.exe

* Nvcte.exe

* Nvcut.exe

* NWService.exe

* OfcPfwSvc.exe

* OUTPOST.EXE

* PAV.EXE

* PavFires.exe

* PavFnSvr.exe

* Pavkre.exe

* PavProt.exe

* pavProxy.exe

* pavprsrv.exe

* pavsrv51.exe

* PAVSS.EXE

* pccguide.exe

* PCCIOMON.EXE

* pccntmon.exe

* PCCPFW.exe

* PcCtlCom.exe

* PCTAV.exe

* PERSFW.EXE

* pertsk.exe

* PERVAC.EXE

* PNMSRV.EXE

* POP3TRAP.EXE

* POPROXY.EXE

* prevsrv.exe

* PsImSvc.exe

* QHM32.EXE

* QHONLINE.EXE

* QHONSVC.EXE

* QHPF.EXE

* qhwscsvc.exe

* RavMon.exe

* RavTimer.exe

* Realmon.exe

* REALMON95.EXE

* Rescue.exe

* rfwmain.exe

* Rtvscan.exe

* RTVSCN95.EXE

* RuLaunch.exe

* SAVAdminService.exe

* SAVMain.exe

* savprogress.exe

* SAVScan.exe

* SCAN32.EXE

* ScanningProcess.exe

* sched.exe

* sdhelp.exe

* SERVIC~1.EXE

* SHSTAT.EXE

* SiteCli.exe

* smc.exe

* SNDSrvc.exe

* SPBBCSvc.exe

* SPHINX.EXE

* spiderml.exe

* spidernt.exe

* Spiderui.exe

* SpybotSD.exe

* SPYXX.EXE

* SS3EDIT.EXE

* stopsignav.exe

* swAgent.exe

* swdoctor.exe

* SWNETSUP.EXE

* symlcsvc.exe

* SymProxySvc.exe

* SymSPort.exe

* SymWSC.exe

* SYNMGR.EXE

* TAUMON.EXE

* TBMon.exe

* TC.EXE

* tca.exe

* TCM.EXE

* TDS-3.EXE

* TeaTimer.exe

* TFAK.EXE

* THAV.EXE

* THSM.EXE

* Tmas.exe

* tmlisten.exe

* Tmntsrv.exe

* TmPfw.exe

* tmproxy.exe

* TNBUtil.exe

* TRJSCAN.EXE

* Up2Date.exe

* UPDATE.EXE

* UpdaterUI.exe

* upgrepl.exe

* Vba32ECM.exe

* Vba32ifs.exe

* vba32ldr.exe

* Vba32PP3.exe

* VBSNTW.exe

* vchk.exe

* vcrmon.exe

* VetTray.exe

* VirusKeeper.exe

* VPTRAY.EXE

* vrfwsvc.exe

* VRMONNT.EXE

* vrmonsvc.exe

* vrrw32.exe

* VSECOMR.EXE

* Vshwin32.exe

* vsmon.exe

* vsserv.exe

* VsStat.exe

* WATCHDOG.EXE

* WebProxy.exe

* Webscanx.exe

* WEBTRAP.EXE

* WGFE95.EXE

* Winaw32.exe

* winroute.exe

* winss.exe

* winssnotify.exe

* WRADMIN.EXE

* WRCTRL.EXE

* xcommsvr.exe

* zatutor.exe

* ZAUINST.EXE

* zlclient.exe

* zonealarm.exe

[DennisD]

Unfortunately more than one of my AV exe files on that list, and I don't have a rootkit scanner.

 

I've previously had the trial version of F-Secures Blacklight, but not keen on trying the latest beta version as the warning notice on the download page dosen't fill you with confidence.

[rridgely]

antivir now has a built in rootkit scanner.

It seems nice enough.(I haven't tried it on an infected computer yet)

 

I'm trying boclean and its not on the list. I wonder if it detects this.

[DennisD]

I've got Boclean, but haven't installed it yet, but I've just remembered that there are a good selection of Anti-Rootkit applications on AndyManchesta's site, but don't know too much about most of them.

 

Anyway, just had a quick look and I'm gonna try AVG's Anti-Rootkit, although I keep wondering about trying Antivir, although I still like Avast.

 

Decisions

[DennisD]

AVG Anti Rootkit Free seems like a good piece of software, with a nice interface and manual updates.

 

Has two searches, "Search For Rootkits" and "Perform In Depth Search". Only tried the first one so far, and it's quick but seems quite thorough. Only took a couple of minutes.

[rridgely]

Yeah AVG rootkit is alright.

There are so many antirookit programs.(almost every AV vendor has a free one out)