Smart Computing ® Smart Computing ®
Top Subscribe Today | Contact Us | Register Now   
middle
Home | Tech Support | Q&A Board | Article Search | Subscribe & Shop   


How To Get Rid Of… Email This
Print This
View My Personal Library
How To Get Rid Of…
Article Last Reviewed February 2005 		Add To My Personal Library


How To Get Rid Of Bagel.F

Description

Bagle.F (also commonly known as Beagle.F; worm-writers are not known for consistent spelling) is an email worm: It can arrive in your Inbox with one of about 40 possible subject lines, such as "My photos" or "Bad girl," and a variety of enticing message bodies. The attached file is a password-protected ZIP file, with the password included in the message body. Once you unzip the file, the file's icon appears to be a folder so that you will be fooled into opening it. But once you open it, Bagle.F can install itself. In addition to disseminating itself in the form of email attachments, the worm also spreads through file-sharing networks by inserting itself into directories that contain "shar" in their names.

How To Tell If Bagle.F Is On Your PC

Bagle.F is quiet; it can infect a PC for months without the user's knowledge. The most prominent symptom is that the program emails copies of itself to email addresses that it finds in files on your PC, but those messages will have spoofed From lines, so it's hard for the recipient to tell where the worm is really coming from. Bagle.F also allows its author to connect to and take control of your PC. If the system date is set to March 25, 2005, or later, Bagle will not spread itself further.

If infected, a PC will have files named i1ru54n4.exe, go54o.exe, ii5nj4.exe, and i1ru54n4.exeopen in the Windows system directory (C:\WINDOWS\SYSTEM or C:\WINNT\SYSTEM32). In addition, the Windows Registry will have a key called HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Rate.exe with a value of C:\WINNT\SYSTEM32\I1ru74n4.exe, as well as an HKEY_CURRENT_USER\SOFTWARE\Winword "frun" key.

WARNING: The following section includes step-by-step information on how to edit the Windows Registry, a large database containing system and program settings that are essential to how the OS (operating system) operates. Follow Registry-editing instructions to the letter and be sure to make a backup of your Registry before you begin (Registry errors can render your computer inoperable if you don't have a backup). This procedure differs depending on the OS you use. For more information on backing up and editing the Registry, see these articles: "Protect Yourself" and "Register Here."


How To Get Rid Of Bagle.F

Symantec offers a free utility for removing the Bagle worm. Point your Web browser to securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html, scroll down to the Obtaining And Running The Tool section, and download the file, saving it to your Desktop. After it has downloaded, close all programs, including your Web browser, and disconnect the computer from the Internet. If you are running Windows Me/XP, disable the System Restore function (more information about System Restore below). On your Desktop, double-click the FxBeagle file then click Start. The program will disinfect the PC. When it is done, reboot, and then re-enable System Restore.

If you prefer to remove the worm manually, start Windows in Safe Mode by pressing the F8 key as Windows begins to boot. Open Windows Explorer, navigate to the Windows system directory (C:\WINDOWS\SYSTEM or C:\WINNT\SYSTEM32, depending on the operating system), and delete the files Go54o.exe, I1ru54n4.exe, Ii5nj4.exe, and I1ru54n4.exeopen.

Next, you need to remove Bagle's trail of crumbs from the Windows Registry. From the Start menu, select Run. Type regedit and click OK to start the Registry Editor. Navigate to HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN and, in the right pane, look for an item called Rate.exe. Right-click it and select Delete. Navigate back to HKEY_CURRENT_USER\SOFTWARE and select it. In the right pane, look for an item called Winword. Right-click it and select Delete. Close the Registry Editor to save your changes and restart your computer.

If you use the System Restore feature in WinMe/XP, a copy of Bagle could remain in the System Restore backup folder. To remove it, disable System Restore. To do this in WinXP, click Start and Control Panel, double-click the System icon, select the System Restore tab, check the Turn Off System Restore checkbox, and click Apply. Confirm that you want to disable System Restore, and the infected backups will be deleted. To re-enable System Restore, uncheck the Turn Off System Restore checkbox and click OK.

To remove the System Restore feature's backup files in WinMe, right-click the My Computer icon on the Desktop, select Properties, and select the Performance tab. Click File System and Troubleshooting. Select Disable System Restore and click OK. The infected backups will be deleted. After restarting your computer, you can return to that menu to re-enable System Restore.

by Kevin Savetz






Want more information about a topic you found of interest while reading this article? Type a word or phrase that identifies the topic and click "Search" to find relevant Trouble Shooting articles from within our Tech Support.

Enter A Subject (key words or a phrase):
                                         




Home     Copyright & Legal Information     Privacy Policy     Site Map     Contact Us

Copyright © 2009 Sandhills Publishing Company U.S.A. All rights reserved.