Content
W32/Bagle.az@MM
- Type
- Virus
- SubType
- Discovery Date
- 09/28/2004
- Length
- Varies
- Minimum DAT
- 4395 (09/28/2004)
- Updated DAT
- 4900 (11/20/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 09/28/2004
- Description Modified
- 09/28/2004 3:01 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update Nov 11, 2004 --
Due to a decrease in prevalence, the risk assessment of this threat has been lowered to Low-Profiled.
--
-- Update Sep 28, 2004 --
Due to an increase in prevalence, the risk assessment of this threat has been raised to Medium.
--
| If you think that you may be infected with this threat, and are unsure how to check your system, you may
download the Stinger tool
to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address. |
This is a mass-mailing worm with the following characteristics:
- contains its own SMTP engine to construct outgoing messages
- harvests email addresses from the victim machine
- the From: address of messages is spoofed
- contains a remote access component
- copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
Mail Propagation
The details are as follows:
From :
(address is spoofed)
Subject :
- Re:
- Re: Hello
- Re: Thank you!
- Re: Thanks :)
- Re: Hi
Body Text:
- :)
- :))
Attachment: (with an extension of .exe, .scr, .com or .cpl)
- Price
- price
- Joke
The virus copies itself into the Windows System directory as BAWINDO.EXE. For example:
- C:\WINDOWS\SYSTEM32\bawindo.exe
It also creates other files in this directory to perform its functions:
- C:\WINDOWS\SYSTEM32\bawindo.exeopen
- C:\WINDOWS\SYSTEM32\bawindo.exeopenopen
The following Registry key is added to hook system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "bawindo" = "C:\WINDOWS\SYSTEM32\bawindo.exe"
A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
- 'D'r'o'p'p'e'd'S'k'y'N'e't'
- _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
- [SkyNet.cz]SystemsMutex
- AdmSkynetJklS003
- ____--->>>>U<<<<--____
- _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
The worm opens port 81 (TCP) and a random UDP port on the victim machine.
Symptoms
Method of Infection
Mail Propagation
This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:
- .wab
- .txt
- .msg
- .htm
- .shtm
- .stm
- .xml
- .dbx
- .mbx
- .mdx
- .eml
- .nch
- .mmf
- .ods
- .cfg
- .asp
- .php
- .pl
- .wsh
- .adb
- .tbb
- .sht
- .xls
- .oft
- .uin
- .cgi
- .mht
- .dhtm
- .jsp
The virus spoofs the sender address by using a harvested address in the From: field.
The virus avoids sending itself to addresses containing the following:
- @hotmail
- @msn
- @microsoft
- rating@
- f-secur
- news
- update
- anyone@
- bugs@
- contract@
- feste
- gold-certs@
- help@
- info@
- nobody@
- noone@
- kasp
- admin
- icrosoft
- support
- ntivi
- unix
- bsd
- linux
- listserv
- certific
- sopho
- @foo
- @iana
- free-av
- @messagelab
- winzip
- winrar
- samples
- abuse
- panda
- cafee
- spam
- pgp
- @avp.
- noreply
- local
- root@
- postmaster@
Peer To Peer Propagation
Files are created in folders that contain the phrase shar :
- Microsoft Office 2003 Crack, Working!.exe
- Microsoft Windows XP, WinXP Crack, working Keygen.exe
- Microsoft Office XP working Crack, Keygen.exe
- Porno, sex, oral, anal cool, awesome!!.exe
- Porno Screensaver.scr
- Serials.txt.exe
- KAV 5.0
- Kaspersky Antivirus 5.0
- Porno pics arhive, xxx.exe
- Windows Sourcecode update.doc.exe
- Ahead Nero 7.exe
- Windown Longhorn Beta Leak.exe
- Opera 8 New!.exe
- XXX hardcore images.exe
- WinAmp 6 New!.exe
- WinAmp 5 Pro Keygen Crack Update.exe
- Adobe Photoshop 9 full.exe
- Matrix 3 Revolution English Subtitles.exe
- ACDSee 9.exe
Process Killing
The virus contains code to kill processes matching the following list of file names, belonging to other worms and products which could be used to identify or interfere with its actions:
- alogserv.exe
- APVXDWIN.EXE
- ATUPDATER.EXE
- AUPDATE.EXE
- AUTODOWN.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- Avconsol.exe
- AVENGINE.EXE
- AVPUPD.EXE
- Avsynmgr.exe
- AVWUPD32.EXE
- AVXQUAR.EXE
- blackd.exe
- ccApp.exe
- ccEvtMgr.exe
- ccProxy.exe
- ccPxySvc.exe
- CFIAUDIT.EXE
- DefWatch.exe
- DRWEBUPW.EXE
- ESCANH95.EXE
- ESCANHNT.EXE
- FIREWALL.EXE
- FrameworkService.exe
- ICSSUPPNT.EXE
- ICSUPP95.EXE
- LUALL.EXE
- LUCOMS~1.EXE
- mcagent.exe
- mcshield.exe
- MCUPDATE.EXE
- mcvsescn.exe
- mcvsrte.exe
- mcvsshld.exe
- navapsvc.exe
- navapw32.exe
- NISUM.EXE
- nopdb.exe
- NPROTECT.EXE
- NUPGRADE.EXE
- OUTPOST.EXE
- PavFires.exe
- pavProxy.exe
- pavsrv50.exe
- Rtvscan.exe
- RuLaunch.exe
- SAVScan.exe
- SHSTAT.EXE
- SNDSrvc.exe
- symlcsvc.exe
- UPDATE.EXE
- UpdaterUI.exe
- Vshwin32.exe
- VsStat.exe
- VsTskMgr.exe
Downloading
This threat contacts a list of websites to retrieve a file named WS.JPG. At the time of writing, this file was not available on any of the sites.
- www.24-7-transportation.com
- www.adhdtests.com
- www.aegee.org
- www.aimcenter.net
- www.alupass.lu
- www.amanit.ru
- www.andara.com
- www.angelartsanctuary.com
- www.anthonyflanagan.com
- www.approved1stmortgage.com
- www.argontech.net
- www.asianfestival.nl
- www.atlantisteste.hpg.com.br
- www.aviation-center.de
- www.bbsh.org
- www.bga-gsm.ru
- www.boneheadmusic.com
- www.bottombouncer.com
- www.bradster.com
- www.buddyboymusic.com
- www.bueroservice-it.de
- www.calderwoodinn.com
- www.capri-frames.de
- www.celula.com.mx
- www.ceskyhosting.cz
- www.chinasenfa.com
- www.cntv.info
- www.compsolutionstore.com
- www.coolfreepages.com
- www.corpsite.com
- www.couponcapital.net
- www.cpc.adv.br
- www.crystalrose.ca
- www.cscliberec.cz
- www.curtmarsh.com
- www.customloyal.com
- www.DarrkSydebaby.com
- www.deadrobot.com
- www.dontbeaweekendparent.com
- www.dragcar.com
- www.ecofotos.com.br
- www.elenalazar.com
- www.ellarouge.com.au
- www.esperanzaparalafamilia.com
- www.eurostavba.sk
- www.everett.wednet.edu
- www.fcpages.com
- www.featech.com
- www.fepese.ufsc.br
- www.firstnightoceancounty.org
- www.flashcorp.com
- www.fleigutaetscher.ch
- www.fludir.is
- www.freeservers.com
- www.FritoPie.NET
- www.gamp.pl
- www.gci-bln.de
- www.gcnet.ru
- www.generationnow.net
- www.gfn.org
- www.giantrevenue.com
- www.glass.la
- www.handsforhealth.com
- www.hartacorporation.com
- www.himpsi.org
- www.idb-group.net
- www.immonaut.sk
- www.ims-i.com
- www.innnewport.com
- www.irakli.org
- www.irinaswelt.de
- www.jansenboiler.com
- www.jasnet.pl
- www.jhaforpresident.7p.com
- www.jimvann.com
- www.jldr.ca
- www.justrepublicans.com
- www.kencorbett.com
- www.knicks.nl
- www.kps4parents.com
- www.kradtraining.de
- www.kranenberg.de
- www.lasermach.com
- www.leonhendrix.com
- www.magicbottle.com.tw
- www.mass-i.kiev.ua
- www.mepbisu.de
- www.mepmh.de
- www.metal.pl
- www.mexis.com
- www.mongolische-renner.de
- www.mtfdesign.com
- www.oboe-online.com
- www.ohiolimo.com
- www.onepositiveplace.org
- www.oohlala-kirkland.com
- www.orari.net
- www.pankration.com
- www.pe-sh.com
- www.pfadfinder-leobersdorf.com
- www.pipni.cz
- www.polizeimotorrad.de
- www.programmierung2000.de
- www.pyrlandia-boogie.pl
- www.raecoinc.com
- www.realgps.com
- www.redlightpictures.com
- www.reliance-yachts.com
- www.relocationflorida.com
- www.rentalstation.com
- www.rieraquadros.com.br
- www.scanex-medical.fi
- www.sea.bz.it
- www.selu.edu
- www.sigi.lu
- www.sljinc.com
- www.smacgreetings.com
- www.soloconsulting.com
- www.spadochron.pl
- www.srg-neuburg.de
- www.ssmifc.ca
- www.sugardas.lt
- www.sunassetholdings.com
- www.szantomierz.art.pl
- www.the-fabulous-lions.de
- www.tivogoddess.com
- www.tkd2xcell.com
- www.topko.sk
- www.transportation.gov.bh
- www.travelchronic.de
- www.traverse.com
- www.uhcc.com
- www.ulpiano.org
- www.uslungiarue.it
- www.vandermost.de
- www.vbw.info
- www.velezcourtesymanagement.com
- www.velocityprint.com
- www.vikingpc.pl
- www.vinirforge.com
- www.wecompete.com
- www.worest.com.ar
- www.woundedshepherds.com
- www.wwwebad.com
- www.wwwebmaster.com
Registry Entry Removal
In both of the following startup locations
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
The following keys for other worms and security products are deleted:
- "My AV"
- "Zone Labs Client Ex"
- "9XHtProtect"
- "Antivirus"
- "Special Firewall Service"
- "service"
- "Tiny AV"
- "ICQNet"
- "HtProtect"
- "NetDy"
- "Jammer2nd"
- "FirewallSvr"
- "MsInfo"
- "SysMonXP"
- "EasyAV"
- "PandaAVEngine"
- "Norton Antivirus AV"
- "KasperskyAVEng"
- "SkynetsRevenge"
- "ICQ Net"
Remote Access Component
The virus listens on port 81 TCP and a random UDP port for remote connections.
Removal
All Users
:
Use the specified DAT files
for detection and removal.
Additional Windows ME/XP removal considerations
Stinger
Stinger
has been updated to assist in detecting and repairing this threat.
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
- Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- Delete the following files from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
bawindo.exe
bawindo.exeopen
bawindo.exeopenopen
- Edit the registry
- Delete the "bawindo.exe" value from
- HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\
- Delete the "bawindo.exe" value from
- Reboot the system into Default Mode
McAfee System Compliance Profiler
Create a rule that matches a file
- Choose SYSTEM_DIR from the drop-down
- Type in BAWINDO.EXE for the file name
- Choose "File does not exist" in the next drop-down
Create a rule that matches a file
- Choose SYSTEM_DIR from the drop-down
- Type in BAWINDO.EXEOPEN for the file name
- Choose "File does not exist" in the next drop-down
Create a rule that matches a file
- Choose SYSTEM_DIR from the drop-down
- Type in BAWINDO.EXEOPENOPEN for the file name
- Choose "File does not exist" in the next drop-down
McAfee Desktop Firewall
To prevent possibly remote access McAfee Desktop Firewall users can block incoming TCP port 81
McAfee IntruShield
An IntruShield User-Defined Signature (UDS) has been created to detect this threat and is available for download at:
https://mysupport.nai.com/
Knowledgebase Article KB38001
Please note: The above knowledgebase article is password protected and requires you to log into Service Portal before accessing it.
Network General Sniffer
A Network General Sniffer filter is available at http://www.networkgeneral.com/SnifferFilters_Details.aspx?Type=1
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
-- Update Nov 11, 2004 --
Due to a decrease in prevalence, the risk assessment of this threat has been lowered to Low-Profiled.
--
-- Update Sep 28, 2004 --
Due to an increase in prevalence, the risk assessment of this threat has been raised to Medium.
--
| If you think that you may be infected with this threat, and are unsure how to check your system, you may
download the Stinger tool
to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address. |
This is a mass-mailing worm with the following characteristics:
- contains its own SMTP engine to construct outgoing messages
- harvests email addresses from the victim machine
- the From: address of messages is spoofed
- contains a remote access component
- copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
Mail Propagation
The details are as follows:
From :
(address is spoofed)
Subject :
- Re:
- Re: Hello
- Re: Thank you!
- Re: Thanks :)
- Re: Hi
Body Text:
- :)
- :))
Attachment: (with an extension of .exe, .scr, .com or .cpl)
- Price
- price
- Joke
The virus copies itself into the Windows System directory as BAWINDO.EXE. For example:
- C:\WINDOWS\SYSTEM32\bawindo.exe
It also creates other files in this directory to perform its functions:
- C:\WINDOWS\SYSTEM32\bawindo.exeopen
- C:\WINDOWS\SYSTEM32\bawindo.exeopenopen
The following Registry key is added to hook system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "bawindo" = "C:\WINDOWS\SYSTEM32\bawindo.exe"
A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
- 'D'r'o'p'p'e'd'S'k'y'N'e't'
- _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
- [SkyNet.cz]SystemsMutex
- AdmSkynetJklS003
- ____--->>>>U<<<<--____
- _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
The worm opens port 81 (TCP) and a random UDP port on the victim machine.
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Mail Propagation
This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:
- .wab
- .txt
- .msg
- .htm
- .shtm
- .stm
- .xml
- .dbx
- .mbx
- .mdx
- .eml
- .nch
- .mmf
- .ods
- .cfg
- .asp
- .php
- .pl
- .wsh
- .adb
- .tbb
- .sht
- .xls
- .oft
- .uin
- .cgi
- .mht
- .dhtm
- .jsp
The virus spoofs the sender address by using a harvested address in the From: field.
The virus avoids sending itself to addresses containing the following:
- @hotmail
- @msn
- @microsoft
- rating@
- f-secur
- news
- update
- anyone@
- bugs@
- contract@
- feste
- gold-certs@
- help@
- info@
- nobody@
- noone@
- kasp
- admin
- icrosoft
- support
- ntivi
- unix
- bsd
- linux
- listserv
- certific
- sopho
- @foo
- @iana
- free-av
- @messagelab
- winzip
- winrar
- samples
- abuse
- panda
- cafee
- spam
- pgp
- @avp.
- noreply
- local
- root@
- postmaster@
Peer To Peer Propagation
Files are created in folders that contain the phrase shar :
- Microsoft Office 2003 Crack, Working!.exe
- Microsoft Windows XP, WinXP Crack, working Keygen.exe
- Microsoft Office XP working Crack, Keygen.exe
- Porno, sex, oral, anal cool, awesome!!.exe
- Porno Screensaver.scr
- Serials.txt.exe
- KAV 5.0
- Kaspersky Antivirus 5.0
- Porno pics arhive, xxx.exe
- Windows Sourcecode update.doc.exe
- Ahead Nero 7.exe
- Windown Longhorn Beta Leak.exe
- Opera 8 New!.exe
- XXX hardcore images.exe
- WinAmp 6 New!.exe
- WinAmp 5 Pro Keygen Crack Update.exe
- Adobe Photoshop 9 full.exe
- Matrix 3 Revolution English Subtitles.exe
- ACDSee 9.exe
Process Killing
The virus contains code to kill processes matching the following list of file names, belonging to other worms and products which could be used to identify or interfere with its actions:
- alogserv.exe
- APVXDWIN.EXE
- ATUPDATER.EXE
- AUPDATE.EXE
- AUTODOWN.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- Avconsol.exe
- AVENGINE.EXE
- AVPUPD.EXE
- Avsynmgr.exe
- AVWUPD32.EXE
- AVXQUAR.EXE
- blackd.exe
- ccApp.exe
- ccEvtMgr.exe
- ccProxy.exe
- ccPxySvc.exe
- CFIAUDIT.EXE
- DefWatch.exe
- DRWEBUPW.EXE
- ESCANH95.EXE
- ESCANHNT.EXE
- FIREWALL.EXE
- FrameworkService.exe
- ICSSUPPNT.EXE
- ICSUPP95.EXE
- LUALL.EXE
- LUCOMS~1.EXE
- mcagent.exe
- mcshield.exe
- MCUPDATE.EXE
- mcvsescn.exe
- mcvsrte.exe
- mcvsshld.exe
- navapsvc.exe
- navapw32.exe
- NISUM.EXE
- nopdb.exe
- NPROTECT.EXE
- NUPGRADE.EXE
- OUTPOST.EXE
- PavFires.exe
- pavProxy.exe
- pavsrv50.exe
- Rtvscan.exe
- RuLaunch.exe
- SAVScan.exe
- SHSTAT.EXE
- SNDSrvc.exe
- symlcsvc.exe
- UPDATE.EXE
- UpdaterUI.exe
- Vshwin32.exe
- VsStat.exe
- VsTskMgr.exe
Downloading
This threat contacts a list of websites to retrieve a file named WS.JPG. At the time of writing, this file was not available on any of the sites.
- www.24-7-transportation.com
- www.adhdtests.com
- www.aegee.org
- www.aimcenter.net
- www.alupass.lu
- www.amanit.ru
- www.andara.com
- www.angelartsanctuary.com
- www.anthonyflanagan.com
- www.approved1stmortgage.com
- www.argontech.net
- www.asianfestival.nl
- www.atlantisteste.hpg.com.br
- www.aviation-center.de
- www.bbsh.org
- www.bga-gsm.ru
- www.boneheadmusic.com
- www.bottombouncer.com
- www.bradster.com
- www.buddyboymusic.com
- www.bueroservice-it.de
- www.calderwoodinn.com
- www.capri-frames.de
- www.celula.com.mx
- www.ceskyhosting.cz
- www.chinasenfa.com
- www.cntv.info
- www.compsolutionstore.com
- www.coolfreepages.com
- www.corpsite.com
- www.couponcapital.net
- www.cpc.adv.br
- www.crystalrose.ca
- www.cscliberec.cz
- www.curtmarsh.com
- www.customloyal.com
- www.DarrkSydebaby.com
- www.deadrobot.com
- www.dontbeaweekendparent.com
- www.dragcar.com
- www.ecofotos.com.br
- www.elenalazar.com
- www.ellarouge.com.au
- www.esperanzaparalafamilia.com
- www.eurostavba.sk
- www.everett.wednet.edu
- www.fcpages.com
- www.featech.com
- www.fepese.ufsc.br
- www.firstnightoceancounty.org
- www.flashcorp.com
- www.fleigutaetscher.ch
- www.fludir.is
- www.freeservers.com
- www.FritoPie.NET
- www.gamp.pl
- www.gci-bln.de
- www.gcnet.ru
- www.generationnow.net
- www.gfn.org
- www.giantrevenue.com
- www.glass.la
- www.handsforhealth.com
- www.hartacorporation.com
- www.himpsi.org
- www.idb-group.net
- www.immonaut.sk
- www.ims-i.com
- www.innnewport.com
- www.irakli.org
- www.irinaswelt.de
- www.jansenboiler.com
- www.jasnet.pl
- www.jhaforpresident.7p.com
- www.jimvann.com
- www.jldr.ca
- www.justrepublicans.com
- www.kencorbett.com
- www.knicks.nl
- www.kps4parents.com
- www.kradtraining.de
- www.kranenberg.de
- www.lasermach.com
- www.leonhendrix.com
- www.magicbottle.com.tw
- www.mass-i.kiev.ua
- www.mepbisu.de
- www.mepmh.de
- www.metal.pl
- www.mexis.com
- www.mongolische-renner.de
- www.mtfdesign.com
- www.oboe-online.com
- www.ohiolimo.com
- www.onepositiveplace.org
- www.oohlala-kirkland.com
- www.orari.net
- www.pankration.com
- www.pe-sh.com
- www.pfadfinder-leobersdorf.com
- www.pipni.cz
- www.polizeimotorrad.de
- www.programmierung2000.de
- www.pyrlandia-boogie.pl
- www.raecoinc.com
- www.realgps.com
- www.redlightpictures.com
- www.reliance-yachts.com
- www.relocationflorida.com
- www.rentalstation.com
- www.rieraquadros.com.br
- www.scanex-medical.fi
- www.sea.bz.it
- www.selu.edu
- www.sigi.lu
- www.sljinc.com
- www.smacgreetings.com
- www.soloconsulting.com
- www.spadochron.pl
- www.srg-neuburg.de
- www.ssmifc.ca
- www.sugardas.lt
- www.sunassetholdings.com
- www.szantomierz.art.pl
- www.the-fabulous-lions.de
- www.tivogoddess.com
- www.tkd2xcell.com
- www.topko.sk
- www.transportation.gov.bh
- www.travelchronic.de
- www.traverse.com
- www.uhcc.com
- www.ulpiano.org
- www.uslungiarue.it
- www.vandermost.de
- www.vbw.info
- www.velezcourtesymanagement.com
- www.velocityprint.com
- www.vikingpc.pl
- www.vinirforge.com
- www.wecompete.com
- www.worest.com.ar
- www.woundedshepherds.com
- www.wwwebad.com
- www.wwwebmaster.com
Registry Entry Removal
In both of the following startup locations
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
The following keys for other worms and security products are deleted:
- "My AV"
- "Zone Labs Client Ex"
- "9XHtProtect"
- "Antivirus"
- "Special Firewall Service"
- "service"
- "Tiny AV"
- "ICQNet"
- "HtProtect"
- "NetDy"
- "Jammer2nd"
- "FirewallSvr"
- "MsInfo"
- "SysMonXP"
- "EasyAV"
- "PandaAVEngine"
- "Norton Antivirus AV"
- "KasperskyAVEng"
- "SkynetsRevenge"
- "ICQ Net"
Remote Access Component
The virus listens on port 81 TCP and a random UDP port for remote connections.
Removal -
Removal -
All Users
:
Use the specified DAT files
for detection and removal.
Additional Windows ME/XP removal considerations
Stinger
Stinger
has been updated to assist in detecting and repairing this threat.
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
- Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- Delete the following files from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
bawindo.exe
bawindo.exeopen
bawindo.exeopenopen
- Edit the registry
- Delete the "bawindo.exe" value from
- HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\
- Delete the "bawindo.exe" value from
- Reboot the system into Default Mode
McAfee System Compliance Profiler
Create a rule that matches a file
- Choose SYSTEM_DIR from the drop-down
- Type in BAWINDO.EXE for the file name
- Choose "File does not exist" in the next drop-down
Create a rule that matches a file
- Choose SYSTEM_DIR from the drop-down
- Type in BAWINDO.EXEOPEN for the file name
- Choose "File does not exist" in the next drop-down
Create a rule that matches a file
- Choose SYSTEM_DIR from the drop-down
- Type in BAWINDO.EXEOPENOPEN for the file name
- Choose "File does not exist" in the next drop-down
McAfee Desktop Firewall
To prevent possibly remote access McAfee Desktop Firewall users can block incoming TCP port 81
McAfee IntruShield
An IntruShield User-Defined Signature (UDS) has been created to detect this threat and is available for download at:
https://mysupport.nai.com/
Knowledgebase Article KB38001
Please note: The above knowledgebase article is password protected and requires you to log into Service Portal before accessing it.
Network General Sniffer
A Network General Sniffer filter is available at http://www.networkgeneral.com/SnifferFilters_Details.aspx?Type=1
Variants
Variants -
N/A
