anthonyt
09-01-2004, 08:46 PM
I have recieved emails from a couple of ems people with the following worms attatched please check your computers. I have cut and pasted the following info from Trend Micro Inc.'s website.... they also offer a FREE online virus scanner at www.antivirus.com if you need a way to check.
QUICK LINKS Solution | Critical Update
--------------------------------------------------------------------------------
Virus type: Worm
Destructive: No
Aliases: Download.Ject.D, Bagle.AK, Win32/Bagle.Downloader.Trojan, Troj/BagleDl-A
Pattern file needed: 2.169.02
Scan engine needed: 6.810
Overall risk rating: Medium
--------------------------------------------------------------------------------
Reported infections: Medium
Damage Potential: High
Distribution Potential: High
--------------------------------------------------------------------------------
Description:
As of 3:06 PM August 31, 2004 (GMT -07:00; Daylight Savings Time), TrendLabs has declared a Medium Risk alert to control the spread of this new BAGLE variant that is spreading via email. Infection reports have been received from Brazil, the US and Canada.
This worm usually arrives via email packaged as a .ZIP compressed file. Similar to the BAGLE variant WORM_BAGLE.AC, this worm does not directly send itself via email to target recipients as an email attachment. It has an HTML script component (HTML_BAGLE.AI) that is designed to execute it and a Trojan component that downloads it as a .JPG file from certain sites. The downloaded files are then saved as _re_file.exe in the Windows folder.
As of this writing, however, the download sites are either down or non-existent.
To disable antivirus protection on the affected system, this worm terminates certain antivirus processes.
On Windows 2000, XP, 2003, it stops and disables the Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) service.
It runs on Windows 95, 98, ME, NT, 2000, and XP.
Note: Current samples obtained of the HTML script and Trojan downloader components do not appear to contain any propagation routine.
Solution:
IMPORTANT: Users of Trend Micro PC-cillin Internet Security and Network VirusWall should check if their products have updated to CFW/NVP pattern 10138 or later.
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Services.
MANUAL REMOVAL INSTRUCTIONS
Restarting in Safe Mode
» On Windows 95
Restart your computer.
Press F8 at the Starting Windows 95 message.
Choose Safe Mode from the Windows 95 Startup Menu then press Enter.
» On Windows 98 and ME
Restart your computer.
Press the CTRL key until the startup menu appears.
Choose the Safe Mode option then press Enter.
» On Windows NT (VGA mode)
Click Start>Settings>Control Panel.
Double-click the System icon.
Click the Startup/Shutdown tab.
Set the Show List field to 10 seconds and click OK to save this change.
Shut down and restart your computer.
Select VGA mode from the startup menu.
» On Windows 2000
Restart your computer.
Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
» On Windows XP
Restart your computer.
Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
wersds.exe = "%System%\doriot.exe"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
wersds.exe = "%System%\doriot.exe"
Close Registry Editor.
--------------------------------------------------------------------------------
NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.
Important Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure sets.
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as WORM_BAGLE.AI. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.
For product-specific solutions, please refer to Solution 21385 of the Trend Micro Knowledge Base.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.
For additional information about this threat, see Technical Details.
QUICK LINKS Solution | Critical Update
--------------------------------------------------------------------------------
Virus type: Worm
Destructive: No
Aliases: Download.Ject.D, Bagle.AK, Win32/Bagle.Downloader.Trojan, Troj/BagleDl-A
Pattern file needed: 2.169.02
Scan engine needed: 6.810
Overall risk rating: Medium
--------------------------------------------------------------------------------
Reported infections: Medium
Damage Potential: High
Distribution Potential: High
--------------------------------------------------------------------------------
Description:
As of 3:06 PM August 31, 2004 (GMT -07:00; Daylight Savings Time), TrendLabs has declared a Medium Risk alert to control the spread of this new BAGLE variant that is spreading via email. Infection reports have been received from Brazil, the US and Canada.
This worm usually arrives via email packaged as a .ZIP compressed file. Similar to the BAGLE variant WORM_BAGLE.AC, this worm does not directly send itself via email to target recipients as an email attachment. It has an HTML script component (HTML_BAGLE.AI) that is designed to execute it and a Trojan component that downloads it as a .JPG file from certain sites. The downloaded files are then saved as _re_file.exe in the Windows folder.
As of this writing, however, the download sites are either down or non-existent.
To disable antivirus protection on the affected system, this worm terminates certain antivirus processes.
On Windows 2000, XP, 2003, it stops and disables the Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) service.
It runs on Windows 95, 98, ME, NT, 2000, and XP.
Note: Current samples obtained of the HTML script and Trojan downloader components do not appear to contain any propagation routine.
Solution:
IMPORTANT: Users of Trend Micro PC-cillin Internet Security and Network VirusWall should check if their products have updated to CFW/NVP pattern 10138 or later.
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Services.
MANUAL REMOVAL INSTRUCTIONS
Restarting in Safe Mode
» On Windows 95
Restart your computer.
Press F8 at the Starting Windows 95 message.
Choose Safe Mode from the Windows 95 Startup Menu then press Enter.
» On Windows 98 and ME
Restart your computer.
Press the CTRL key until the startup menu appears.
Choose the Safe Mode option then press Enter.
» On Windows NT (VGA mode)
Click Start>Settings>Control Panel.
Double-click the System icon.
Click the Startup/Shutdown tab.
Set the Show List field to 10 seconds and click OK to save this change.
Shut down and restart your computer.
Select VGA mode from the startup menu.
» On Windows 2000
Restart your computer.
Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
» On Windows XP
Restart your computer.
Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
wersds.exe = "%System%\doriot.exe"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
wersds.exe = "%System%\doriot.exe"
Close Registry Editor.
--------------------------------------------------------------------------------
NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.
Important Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure sets.
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as WORM_BAGLE.AI. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.
For product-specific solutions, please refer to Solution 21385 of the Trend Micro Knowledge Base.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.
For additional information about this threat, see Technical Details.