WinBagleALmm free removal tool description
Free removal tool for Win32.Bagle.AL@mm
Symptoms:
- Presence of file %SYSTEM%WINdirect.exe.
- Presence of file %SYS@mm
Symptoms:
- Presence of file %SYSTEM%WINdirect.exe.
- Presence of file %SYSTEM%windll.exe.
- Presence of registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunwin_upd.exe = %SYSTEM%WINdirect.exe or
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunwin_upd.exe = %SYSTEM%WINdirect.exe.
- Presence of registry key HKCUSOFTWAREMicrosoftWindowsCurrentVersionRu1n.
Technical description:
The worm comes in the form of a small file, that drops another file ( namely WINDirect.exe) in the %SYSTEM% directory.
This file then tries to raise it’s privilege level and then starts a thread in which it keeps looking at all the processes and when it finds one within a list ( in order to prevent updating an AV product or the use of a firewall ) it tries to terminate it. Then it starts another thread that tries to download the main part of the massmailer from a list of addresses, each 10 hours.