Malware City/Blog/

Jul
17
Filed Under:
HOW TO....

Removal Win32.Worm.Bagle

17 July 2008
The Bagle worm is a piece of malware that spreads by itself over email, disk drives and network shares. It has rootkit capabilities that enable it to hide from the user. It disables the windows firewall and several antivirus products. It also drops a hosts file which disables access to certain anti-virus websites. Anti-virus software might be unable to perform any definition updates because of this.

In order to remove Win32.Worm.Bagle we first have to know that we are infected with it.

  1. Go to Start->Run and type cmd.exe
  2. Browse to %windir%system32drivers by typing “cd %windir%system32drivers”
  3. Type “dir srosa*” and “dir *.exe”. If you have some of the following files displayed you have a bagle infection:

srosa.sys (Bagle rootkit, almost in all versions)

pci32.sys (old versions)

hldrrr.exe or

hidr.exe

mdelk.exe

  1. You may also check “sc query srosa” and “sc query pci32” but this may or may not return results.

Now if you successfully identified a Win32.Worm.Bagle infection it's time for neutralization and removal. Please follow these steps:

  1. Type “copy null.sys srosa.sys” (replace srosa.sys with pci32.sys if you have the older version) in your command prompt.

Note: it's supposed that you are still in %windir%system32drivers

Explanation: we are replacing srosa.sys with the dummy null driver that does nothing, so this is what will be loaded on system startup uppon reboot

  1. type “attrib +r +h srosa.sys” in your command prompt

Explanation: the Trojan component of bagle will try to rewrite srosa.sys on every system boot. If it's hidden and read only it will not be able to do so (in these version so far).

  1. Reboot
  2. Open a command shell again (see step 1 from the detection process)
  3. Go to %windir%system32drivers (see step 2 from the detection process)
  4. Unhide the hidden srosa file: “attrib -h srosa.sys”
  5. Delete the files you detected earlier by typing: “del /f filename”. For example: “del /f srosa.sys”, “del /f hldrrr.exe”, “del /f mdelk.exe” etc.
  6. Delete the registry keys it created by typing:

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "drvsyskit" /F

reg delete "HKLM\SYSTEM\CurrentControl\SetServices\srosa" /F

      9. Start regedit (Start -> Run then type: regedit.exe)
Browse to the following registry key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA and right click it.
Select Permissions, select Everyone then check Allow "Full-Control".
After this delete the key

 

At this point your system should be clean of the Bagle infection. If any of the steps above fails, please send us a copy of the file at virus-submission@bitdefender.com in order to assist you with a specific removal guide.

Additional notes: this guide is intended for any type of user as long as they follow the exact steps described above. Any damage done to your system as a result of following this guide is your responsibility. Malwarecity.com cannot guarantee a successful removal for any threat version described above.





Related

01-07-2008 | How To Remove Trojan.Vundo

Comments:

Fadi Almoussa said on Aug-9-2008 11:20

Thanks a lot, this helped me so much.
but i found another key in the REG called LEGACY_SROSA....shold i delete this one too!!?
thanks a lot

Marius TIVADAR said on Aug-11-2008 10:22

Yes, it is safe to remove that entry. Go to that key, right-click on it, select Permissions, select Everyone, then check Allow "Full Control". Now you can delete the key.

Carlo said on Aug-24-2008 12:07

Hi, I followed the steps above but did not find the registry keys in step 8. I did a search of "srosa" in the registry and found it"HKLM Software Microsoft Windows Current Version RunOnce ApprovedbyRegRun2 AntiRepl 0 1 2 3 4 5 5 6" under name Target and dir C:WindowsSystem32DriversSROSA.SYS. Is it safe to delete this entry?

Marius TIVADAR said on Aug-25-2008 13:14

Well, just make sure that you are not infected (repeat steps 1-4). It is better not to delete those entries (they don't belong to this malware).

Thomas said on Oct-24-2008 02:09

Hi, thanks a lot for this information. I searched a long time on the net to find a solution for this and your information brought the solution.

Any idea how to fix the effects this worm caused ? E.g iam still not able to start the hijackthis program and cant boot into the safe mode.

Marius TIVADAR said on Nov-4-2008 06:31

Welcome, Thomas.
You can play with your system configuration by running gpedit.msc (Start->Run type gpedit.msc). It could be many reasons why HijackThis or any other program won't start. Maybe your system is still infected with other kind of malware.
Regarding safe mode problem, you could try using System Restore, here is a tutorial for this. http://blog.didierstevens.com/2006/06/22/save-safeboot/

If you have clues that your computer is infected with anything else, and your AV does not detect it, you should contact the support team.

Jimmy Patel said on Jan-26-2009 17:56

Hii
My pc got infected by trojan, I guess its Begle work bcoz It disable my anitivirus too and I am not able installed any other antivirus, Please help. I have list below Malwarebytes' Anti-Malware 1.33. when I tried to look that this particular location I dont find any exe files. I tried you suggested method but at beginning only I dont find srosa.sys and mdelk.exe in system32/drivers. But I know this files are in my PC because I can see its registry in registry editor.
Can you please help me.


Registry Values Infected:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunmule_st_key (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:Documents and SettingsOwnerApplication Datam (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:Documents and SettingsOwnerApplication Datamdata.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:Documents and SettingsOwnerApplication Datamlist.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:Documents and SettingsOwnerApplication Datamsrvlist.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:Documents and SettingsOwnerApplication Datam lec006.exe (Trojan.Agent) -> Delete on reboot.
C:Documents and SettingsOwnerApplication Datadriverswinupgro.exe (Trojan.Agent) -> Delete on reboot.

Andrei Bereczki said on Jan-30-2009 08:22

Hello Jimmy,

if you found the registry entries for Win32.Worm.Bagle but not the files we mentioned it's probably because you got your system cleaned by some application, which didn't know (or care) aout your registry.

Also, since you're using Malwarebytes' Anti-Malware you could try their support forum. We are not an official Malwarebytes support team.

samsardea said on Jul-3-2009 01:02

is this virus existing long time ago? in what date is started to spread.

jr garcia said on Jul-8-2009 04:08

I'd follow the instructions but it displayed nothing. The problems of my computer is worst than the problems that are caused by bagle. But I can't identify it. It disables the following:

*anti-virus
*safe mode
*system restore
*task manager
*regedit
*firewall
*installing of anti-virus
*removing of the installed anti-virus
*some registry cleaner

Im sure that it's hiding in the back up drive because when I reformat my pc, it
comes again. I have no choice but to reformat my back up drive too. I'd copy the important files in the back up drive into my flash drive but just like what im expecting, the unknown worm/virus/malware/trojan comes again. I can't just delete my back up files because it's so important. What should i do about that? I don't have internet connection at my home. Please help me.

Marius TIVADAR said on Aug-24-2009 15:53

@samsardea This worm was discovered long time ago (years ago). Today Bagle worm exists in many variants. This instructions may not help you with latest version of Bagle. If you suspect that you are infected with Bagle and these instructions doesn't work for you, you should contact support team.

@jr garcia maybe it's not a Bagle infection. You should contact support team for more investigation.

Comment on this

Name:

Email:

Website:

Your email adress will not be published.