Frightening Bagle.M Experience

[MasterRacker]

I just recently cleaned up a machine with a really bad case of Bagle. What really made this one difficult and scary is that one of the infected files turned out to be the shell itself: C:\Windows\Explorer.exe! This meant the virus was even active in Safe Mode! The file was in use of course and couldn't be cleaned or deleted.

The only thing that saved us was that the original explorer.exe was still there, renamed to explorer(2).exe. Being an XP Home machine, I was able to boot into Safe Mode with Command Prompt. There's still a graphical shell behind that but I was able to delete explorer.exe and rename the other file.

Being a large disk, I don't thing a boot floppy with NTFSDOS could have mounted it, so I'm not sure we could have cleaned it if that hadn't worked.



Jeff
The future is already here - it's just not widely distributed yet...

 

[ChrisHirst]

In cases like this and is a method I use a lot is to put the drive in another machine, on the IDE secondary channel or as a slave and then scan it.
The virus/worm code can't start and you can delete or replace affected system or locked files.



Chris.

Indifference will be the downfall of mankind, but who cares?