New "real Bad" Virus

[francois]

hi'

a new nasty virus appeared recently, the update of any antivirus look like an emergency!

for Norton users, I would recommend to download the latest update from symantec site, as the "live-update" is sometimes a bit late ...

here is the alert :

Bagle. Q a virus is which propagates by email and via the shared files.

It appears under the shape of a message at the HTML format the title of which is

random, without attached file. If the computer is not up to date in its

correctives of security, the simple opening or the preview of the message

provoke the run of a script which downloads and runs the virus in the insu

of the user since a remote server. Bagle. Q install then a server

web on the infected computer, sends a message trapped at the present addresses

in the Windows and different address book the other files, the tent of

to deactivate a big number of software of security, installs a hidden door,

infect files .EXE of the hdd then copies in the shared files.

be cautious ... notice that there is no attached file!

the best seems to de-activate the auto preview of last message received .. if you have the option in your mail-program

or use a small program to download the headers first, to see what's there, and download the mail or delete it before it can reach your hdd.

you may find one called magic mail monitor (free), at ;

Magic Mail Monitor , easy to use and will prevent some mistakes ...

francois

[dr_Pat_Pong]

Thank you Francois.

[lopburi3]

OE6 was patched 5 months ago to protect against this. I hope people do make critical updates.

[Guest IT Manager]

What Francois meant to say, was use a good antivirus program, update it DAILY, run it weekly at least.

Bagle has been dealt with by the new Vet version 6.1 and it has been around for what appears to be 3 weeks.

It is a real hanger on, and it can go into a mail server and get all the names from the server if the server is not firewalled and protected, which means you get emails, from yourself and others in your domain, as "[email protected]", [email protected]" and others.

It is extraordinarily clever. Francois is correct to bring it to members attention, and thanks for doing so.

[sting01]

Some good news :

1) if the virus was detected the 18 th of march, this time M$ was in time, the patch to protect you against the infection exist since the Second of february (????) you can find the german one at this page (sorry today I am anglo phobic):

http://www.microsoft.com/germany/ms/techne...tinMS04-004.htm

Whatever I am sure you can find a translation on Micro$soft US/Aussie/UK website

http://www.microsoft.com/technet/security/...n/MS03-040.mspx

2) the description of the virus can be viewed here (in fact dear all it's not only one but 3 viri [Virus is a latin name, the plural form is VIRI] for the same price) .. you will quickly understand the programmer is just another sucker, the coding is not working properly :

http://www.viruslist.com/eng/alert.html?id=1173877

3) Well, I am hearing you, who are asking Doctor, I am infected, what can I do? Maybe try some paracetamols (update as soon as possible your antivirus), one valium (the evaluate risk is only moderate the coding mistakes), try 2 penicillin shoots

After have play around (f**** around) with this malware, I am very GLAD to offer you a hand made solution, Why always scare good people and let them think we live in a horrible world???????????? There is no problem, but only solutions who exist .. then here we go:

Solution:

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as PE_BAGLE.Q. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.

On Windows 95/98/ME systems, press CTRL+ALT+DELETE

On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, then click the Processes tab.

In the list of running programs*, locate the malware file or files detected earlier.

Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.

Do the same for all detected malware files in the list of running processes.

To check if the malware process has been terminated, close Task Manager, and then open it again.

Close Task Manager.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.

In the left panel, double-click the following:

HKEY_CURRENT_USER>Software>Microsoft>

Windows>CurrentVersion>Run

In the right panel, locate and delete the entry or entries:

directs.exe = "%System%\directs.exe"

Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WinNT.

Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Applying Patches

I advise all affected users to download and install the critical patch from the following link:

http://www.microsoft.com/technet/security/...n/MS03-040.mspx

Additional Windows ME/XP Cleaning Instructions

No thanks needed

Regards

[francois]

hi'

some news about bagle virus ...

Bagle, which had been qualified in February by the specialists of the third most dangerous virus of the history, is a virus of type worm which spreads through e-mails. Once installed, it deactivates the software of security and propagates from the workstation on the stored e-mailes or through the networks of file sharing, entailing strong slowings down of networks.

The Bagle versions, Bagle R, Bagle S and Bagle T, if they use different methods to try to by-pass the antiviral protections organized at the level of the gateway of e-mailer, do not contain an attached document, contrary to the first versions of Bagle, what makes them more difficult to identify. If the user opens the message, the roguish code is automatically downloaded since the computer having sent the "carrier" e-mail.

" The users have to show themselves extremely careful with this worm which was already indicated to us in several regions of the globe, in particular in Korea ", underlined Annie Gay, General manager of Sophos France. " Because of their capacity to exploit(run) a fault of security in an e-mail software so wide-spread as Microsoft Outlook, these verses are potentially very harmful ", indicated Sophos.

From his part, the specialist of the computer security Arkoon considered that " in front of the ingenuity of the new variants of the worm Bagle, the update of antiviruses has to come along with an adequate configuration of firewalls ". " The adequate configuration of the ports of entrance(entry) and output(exit) of the computer towards the outside is a major element of an effective defence ".

just a few more words about it ...

may I say? don't need to look many places for it ...

just go to the symantec site and download the beagle-remover and run it.

for XP users de-activate the restore points, and once restart put them back (if you use this option).

the removal tools from symantec are fast and reliable, this mean "can be trusted"

here is the adress :

beagle removal tools

the list present is valid until version O ... soon an update

francois

[outlook]

I have been using it. recovery pst and dbx reader more stable and secure than other programs.