Bagle variant ruined my security

Discussion in 'ESET Smart Security' started by quijibo, Jan 22, 2008.

Thread Status:
Not open for further replies.
  1. quijibo

    quijibo Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    2
    I try to make this as short as possible. I apologize about my english, and im still under stress of my situation. :)

    Yesterday my nightmare begin, and im still fighting against it on my desktop pc. Im currently on my laptop pc writing this.
    Searched this forum and found few threads that alerts about BAGLE-BEAGLE
    new variants that can kill ESET protection.

    Now it seems strange to me that this is not yet fixed in new version of ESET SS. Well i opened a file from p2p zip, it was small exe. And my realtime protection didnt detected it.

    Till that moment i had full trust in all ESET products and always had been recomending their products. Couldnt dream this can happen to me since i always look after my pc security.

    Well basically what happened i lost egi.exe knrl service, firewall, couldnt boot to safe mode, my internet explorer crashing, preventing any antivirus program from installing.. and other lovely stuff.

    Well few solutions here says GMER and ESET online should fix this.
    But it wasnt that easy.. my desktop is still being scanned and cleaned.

    educated myself more about the symptoms on some of these links..
    http://forums.spybot.info/showthread.php?t=22446
    http://www.siusic.com/wphchen/hard-to-kill-malware-wintems-exe-and-hldrrr-exe-143.html

    there is many more info on other forums and im surprised how this dreadfull threat has not been disabled earlier.

    i did also testing on my laptop.. downloaded again these dangerous files under AVG free protection. it also didnt got detected. It seems only Kaspersky can detect it good. i also send this file to virus total analisis.

    {Snipped VT report - let's keep the thread clean of VT/Jotti/etc reports}


    I somehow made a fix of my safe mode boot and started GMER, and made online scan with kaspersky that found lot of stuff but it couldnt remove it.
    So since i was without antivirus protecion, i uninstalled all and wasnt able to install back again.
    I found DR WEB Cure IT tool.. and now its cleaning my desktop pc, hope it will
    do the job right if yes i think i miggrate to this antivirus. Since it only had this kind of tool.

    So on my laptop i tried ESET online scan and strangely it detected this malware file on my laptop pc. How come it didnt detected it once ESEt smart security was installed?
    Now im really confused how this could all happened, that such a good protection was so easily disabled and made such damage even though the threat warning where out few months ago??
     
  2. demonio

    demonio Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    48
    Probably at that time your antivirus not been updated to version 2815.
    Eset was the first to recognize your new variant of bagle

    {Snipped VT report - let's keep the thread clean of VT/Jotti/etc reports}
     
  3. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    My first reaction is "What's wrong with this picture?"
    This statement actually seems potentially at odds with the first one quoted, although a lot of relevant context is missing.

    One comment that I'd make is, if you're relying solely on an AV for complete protection, that could be an issue. You could be part of that high risk population that should augment your approach with either native OS security restrictions or some other active controls measures. I realize this doesn't resolve your current problems, it's more for consideration moving forward.

    Blue
     
  4. quijibo

    quijibo Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    2
    Yes i understand what you mean, it was my mistake primary for starting up obvious suspicious file at first place. But my point was if i as bit more educated user did this mistake and my protection program didnt have the way to stop this and the threat was known before, what would happen to begginer users.

    its like i can guard my house with the dog, but the burglar can always come and kill my dog. so i should maybe get two dogs! :)

    Anyway for my protection i did had ESET Smart security so it was no tonly AV. Also i use spybot search and destroy.

    Now on my laptop i use Kerio sunbelt as firewall and testing some othe AV solutions.
    Well i did a testing on with this infected exe file in zip.
    AVG scan didnt detect it, even when zip was unpacked.
    NOD32 3.0 didnt detect it when i scanned it, even when unpacking.
    AVAST didnt detect it at all
    DrWeb detected it and removed it when it was being extracted

    I had a last version of ESET SS installed week ago on trial when this hit me.
    Just looking now for other solutions, i was really big fanatical fan of ESET products but now i feel confused.
    It would be normal if bagel was some newest variant and my AV didnt detect it. But it was old threat.

    At this point a managed to clean my desktop system with help of GMER, Kaspersky online, Dr. Web Cureit, ccleaner, aft clean, and Dr Web av. But my system is still ruined since i cant start services.msc, windows firewall and some other.. doing a repair of windows now..
     
    Last edited by a moderator: Jan 23, 2008
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    New Bagle variants are created on a daily basis and we add detection as soon as possible. Those who send us samples of it know what I'm talking about ;)
     
  6. demonio

    demonio Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    48
  7. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    This type of situation was one of the background reasons I started the discussion of Light Virtualization. I believe that the vast majority of us benefit now, and will benefit for some time, from the expert analysis system provided by a conventional AV. NOD32 is a very good one that I highly recommend, but at times they may need a bit of backup and, at that point, it's just a question of how to make the trade-offs.

    Blue
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Blue is correct. It use to be something like BoClean was adequate to use with Nod or any AV, but the reality now is a program of light virtualization like Sandboxie,Returnil or my signature. It really it isnt about one or the other like some feel, but a light combo of both that will afford you the best protection.
     
  9. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    And just for the record, Nod is a great AV and what happened could happen, and does, to every other AV product.
     
  10. sjgore

    sjgore Registered Member

    Joined:
    May 22, 2007
    Posts:
    66
    Location:
    UK
    :eek: :blink:

    Remember: A computer is only as secure as the person using it!!

    Steve.
     
  11. keenedm

    keenedm Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    4
    Hi,
    I contracted Win32/TrojanDownloader.Bagle.MA last weekend before NOD32 had been updated. I have disconnected the particular machine (my main box) from the net, and have only powered up once since I understand the more times I power up the more files it may infect. Thankfully I was only active for about 1hr before I noticed things were wrong.

    I'd obviously like to remove this. I have a few questions:

    1. Installed versions of OnlineArmor and NOD32 have been disabled, so I need find a way to remove my infection. What is suggested?

    2. Will the NAV online scan do this or will it simply point out where the virus has infected and maybe isolate these?

    3. What if some system files are infected, are these likely to be recoverable?

    4. Will the removal method be sure of removing all traces and all apps that shouldn't be there? I've read some versions of Bagel have a rootkit... any idea if thiss version does?

    5. Would I be better off copying (whilst using UltimateBoot CD for Windows) all files from the infected machine to a USB disk and scanning that? Then I can copy the files back. This would be a whole lot more troublesome, but I am thinking it could all be done without booting from the infected OS. If an online scan is likely to remove all traces I'd rate do that for convinienence.

    6. I also wish to understand more about this virus.. I have googled this variant and have found no information.. would I expect to find something in a few days/weeks or is this only for very prevalent virii?

    Many many thanks!!

    BTW, sorry I know this is the ESET Smart Security Forum forum and I only have AV installed, but I thought it appropriate to follow up a very similar thread.

    D
     
    Last edited: Mar 25, 2008
  12. ASpace

    ASpace Guest

    Does NOD32 now detect this - do you know ? What is your version of NOD32 (v2 or v3)

    No online scan can remove this (even if it detect it) .
    Bagle.MA exists in ESET bases but since each and every vendor puts different names to threats , MA for ESET may be different for another vendor.
     
  13. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hi!

    1. The best solution is making log from some utility - Eset SysInspector, UPM,...
    2. I didn't try, but I think no.
    3. If disinfector is included in antivirus or individual, then yes. If no, then no. :D Some files can be overwritten. But Bagle isn't infector for all I know.
    4. With specialized utilities you can delete rootkit, too.
    5. I think it won't be necessary.
    6. When I removed it, there was few files (one of them .sys). Tactics was: Use utility, which find Bagle's files and then use utility, which deletes files and registry values/keys.
     
  14. keenedm

    keenedm Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    4
    Hi & thnaks for the prompt help

    I am on NOD32 v3, and as of now the definition files I have are 2971. You'll see from http://www.eset.com/support/updates.php that Win32/TrojanDownloader.Bagle.MA was added in update 2961.

    I discovered what my virus was prior to NOD32 being updated because I had a very suspicous file that OnlineArmor (great tool) alerted me to that I then scanned with http://virusscan.jotti.org/ and http://www.virustotal.com/. Both those sites identified it with Kaspersky but no other big names at the time. The name was a similar variant of the NOD name, with "Bagle ma" being common. These sites then notify all other participant vendors of the virus so their sigs can be updated. Hence the reason I guess NOD32 managed it after my upload there??

    So, now we know that NOD32 can identify the virus (and I'll check in isolation my this, my 2nd laptop) might the online detector now delete it?. Re my 6th question before, is it likely to harm any data files such as jpg's??

    Many thanks for your help. I haven't had a virus since the days of the Amiga!! :)
     
  15. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Yes, but this is only newer variant. The first downloader of Bagle was added in 1.1409 :)

    I don't understand quite well. If you think later update, then between tons files received from these services is little problem. I recommend send threats directly to lab with information in subject, file compress into password ("infected") protected archive -> samples[at]eset.sk

    You can try scan in safe mode, but you talk only about downloader. It download and install next Bagle's files. Re 6: No
     
  16. freaked

    freaked Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    6
    your best bet might be is to back up your important data and do a format and a clean install of windows o_O . some might say it's overkill, but it's better to be safe than sorry(imho). :doubt:
     
  17. ASpace

    ASpace Guest


    Disabled is very general explanation . If ekrn.exe is deleted , you can still perform scans with ecls.exe (ESET's command line scanner) .

    Do you know how to type basic commands in DOS (a.k.a command prompt) . Can you navigate through folders with such commands ? If so , you can use the Windows CD and start the Recovery console and run ESET command line scanner which may clean the Bagle you have if it can detect it.
    How to use the Recovery console:
    http://support.microsoft.com/kb/307654

    Run the ecls.exe (which is in C:\Program files\ESET NOD32 Antivirus\) with /auto parameter

    If you think you cannot do the things proper way , you can post in a forum providing malware cleaning services (such as AumHa forums) or contact ESET Technical support.

    Although there is no guarantee , this Bagle is less likely to damage your personal data such as documents , music , pictures , etc.
     
  18. keenedm

    keenedm Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    4
    Thanks v much guys. I haven't been able to get to it today since I've had a lot of other stuff on. HiTech_boy, you're right, the Firewall & AV have simply been disabled, not deleted (per 'standard' bagle functionality it seems), but I guess the cmd line scanner can still be used, I'll try this as soon as I get the chance.
    I've had a look at the cmdline options of ecls.exe however I cant determine if there is a way to update the definitions. I require an updated definition file past 2969 for NOD32 to recognise the virus. Since when I did an individual file scan with an older definition file (the one I presume is still present on my box) it failed to recognise the file as a virus.

    Thanks also Lucas... I am not aware of the different Bagle varieties, or how the virus is classified so I don't know what the common parts are between this and other strains. Is there anywhere I can find this out? I wish to know how safe it is to turn my machine on, even for a short while?
    Also what do you mean by "You can try scan in safe mode, but you talk only about downloader. It download and install next Bagle's files". Do you mean in safe mode it can't do anything harmful? Also do you mean the entire purpose of this virus is simply to download other bagle's to my machine?

    Many thanks again for all your help guys
     
  19. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    I thought this: TrojanDownloader means downloading threats (eg. in SFX archive) from servers. After that it can unpack files and install malware. So these extracted files needn't be detected. :doubt:
     
  20. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
  21. keenedm

    keenedm Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    4
    Unfortunately it won't boot in safe mode now. I don't know if this is the virus' fault, however
    Bagleremover does nothing when I run it, I can only presume my Bagle is blocking it in a similar way to its blocking of Windows defender, NOD32 and Online Armor.
    Looks like a rebuild is in order next week :(
    Any other ideas welcome... specifically for this particular 'ma' variant.
     
  22. duca bianco

    duca bianco Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    77
    Location:
    Italy
    keenedm
    Have an MP:)
     
Thread Status:
Not open for further replies.