My recent battle with W32.Beagle.DZ

[headkaze]

Two days ago I had to reboot one of my machines here and a upon launching the shell I noticed something strange. "C:\Documents" was open in Windows Explorer. First of all, it's odd to have Windows Explorer pop up for no good reason at bootup, and secondly I never created a directory called "C:\Documents". Something was up.

The first thing I do (as always when something suspicious happens) is to check the process list in Process Explorer. I find a process I don't recognise called "wintems.exe" and quickly end the process. A quick look on Google and I find that indeed it was a virus called Bagle/Glieder.

I wasn't sure what variant this was, so I began poking around in the registry checking the usual areas "Run" etc. I also do a search for this "wintems.exe" but come up with nothing. So how the hell did this program start? The mystery continues, I do some more searching on the Net and notice that there were indeed the typical trade marks of Balge, "DateTime4" registry entry with a unique id and port number for my machine.

I do a search on my HDD for wintems.exe and I find it in the expected place "%SYSTEM%\Windows\wintems.exe". So I take out the file have a little look in a hex editor. Check out the date (which was two days ago at approx. 12 am). I do a scan of the file and notice my antivirus dosn't recognise the file as being a virus. Hmmm strange. I notice it's a packed PE so I try to identify the packer. Nope. Have I found a new variant that's been packed so that it can't be identified with a signature?

I decide to try out Spybot to see what it comes up with. Hmmm the execuatble is missing and the icon has changed to the icon of no file. Very strange, okay I'll re-install Spybot... again, no exe. Ok this time I'll watch the directory while I install... there is the SpybotSD.exe ... bang.. it disappears! Wow, there must be some sort of service running that's deleting it!

Now I decided to reboot into Safe Mode and do a full scan of my machine. Strange things.. it finds a "Bagle like" infection in %Documents & Settings%\Application Data\hidires". I take a look at the files in a hex editor.. pretty obvious it's a virus, it has about 30 anti-virus products, firewalls and utilities named within it. Obviously to delete them from disk or memory. But now things are even more interesting, there was now an entry in the usual "Run" key to hidr.exe (drvsyskit) and wintems.exe (german.exe). So either the virus has placed this into the registry just before last re-boot or there is some sort of cloaking program. "hidr.exe" looks like it could be the culprit and a seach on Google brings up nothing. Have I indeed found a new variant of Bagle?

I take a look at Symantecs site and check out the latest threats. There is my virus.. W32.Beagle.DZ. Discovered March 23, 2006 - the day of my infection!

So beware people, this new virus can hide registry keys and files from your computer! Download the latest virus signatures and reboot into Safe Mode and do a full scan. If you don't reboot into Safe Mode the cloaking driver will hide the files on the hard drive and the registry! It's really a tricky piece of work.

[night]

i hate virus and i never understood the benefit with one guy sitting making a virus there only have one task ruining it for other users

[protecteur]

Norton is crap its takes 80% of your pc resorces and doesn't detect everything!! Avast is the best for antivirus and Outpost pro for a decent firewall not draining your resources. I removed my norton and installed the two above apps and my pc speed and performance improved 110%.

[amos_82]

I use Outpost as a firewall - frickin awesome program.

kaspersky as an antivirus, really good, even scan for infections in the background without you even noticing.

I can also recommend Spyware Dr, does all normal stuff but also, has a 'process guard' which stops malicious and hidden programs from running. Even has a keylogger guard which stops hackers recording which keys you press for banking, ebay etc.

[headkaze]

Norton is crap its takes 80% of your pc resorces and doesn't detect everything!! Avast is the best for antivirus and Outpost pro for a decent firewall not draining your resources. I removed my norton and installed the two above apps and my pc speed and performance improved 110%.

I agree about Norton, renowned resource hog. I use eTrust Antivirus by Computer Associates. It's a very nice anti-virus for people who know a bit about computers and don't mind manually scanning things. The good thing is it won't put it's dirty tentacles all over your PC and hog RAM and resources like Norton and others. But I admit it didn't completely remove the virus I found, I had to manually remove it from HDD and registry. But it was only discovered two days ago, so I'll still recommend it.

i hate virus and i never understood the benefit with one guy sitting making a virus there only have one task ruining it for other users

There is an old conspiracy theory that anti-virus companies write the viruses to keep themselves in business!

[night]

i use norton but not the newer versions they idd takes alot of power away from my precius emulators

but i think norton detects virus fine tho not spyware and that kinda stuff ...

have done scans with others didnt find anything else what norton did...

but would never upgrade to a newer version of it tho.

[TX_TRINITY]

I too had problems with Nortons, sloppiest piece of code out there. Uninstalled it and now use eset's nod32. Pure assembly and light as feather on the ol' cpu cycles and ram. Not picked a decent firewall yet tho, will check out outpost.

Did I mention that my PC runs like it's had an upgrade?!