Tips on dealing with the Bagle rootkit
Normally I don’t concern myself with Windows- related matters. However, the infamous Bagle rootkit and its numerous variations deserve some attention even from Unix sysadmins. Bagle annoyed me and my customers long enough. Essentially, Bagle turns you PC into someone’s personal email server for sending out spam. It also gives that someone remote access to your PC. The exact procedure for removing this virus varies depending on the type of the Bagle rootkit you have. How do you know you have it?
Most antivirus applications are written by idiots. This is exactly the reason why Bagle is able to kill and delete most antivirus scanners before they ever get a chance to catch it. And, once it is on your system, Bagle will not let you install or run any antivirus application. You can still run online scanners, but those will accomplish exactly nothing because they run via IE, which Bagle infected.
So the first sign of trouble is when your antivirus application suddenly quits and disappears. You can’t start it and you can’t reinstall it. You’ve definitely been Bagled. Another symptom: you wireless card would no longer connect to the network. Windows says that something else is trying to manage it. Scroll down to the end of this page to see notes on dealing with the wireless problem – but only after you got rid of the virus!
Do CTRL-ALT-DEL to bring up the Task Manager and take a look at the running processes. If you see hldrrr.exe or wintems.exe running – you’ve been Bagled. If you don’t see these processes – that doesn’t mean your are in the clear. See, the problem is that many viruses have the ability to hide from the Task Manager. This is primarily because, just like the antivirus applications, Windows XP and Vista were written mainly by C-minus-average Comp Sci grads from the University of Mumbai.
So how do you get rid of Bagle? To be perfectly honest with you, the best way to go is to just reformat your drive and reinstall Windows. Sure you will need to reinstall your apps and rebuild your settings, but you will get rid of Bagle 100% guaranteed. The alternatives are time-consuming, extremely convoluted and not always effective. But if you are willing to give it a shot, below are some tips that you may find useful. And keep in mind: most methods for removing Bagle you find online will not work because that information was posted by either hackers who wrote the damn thing or by the aforementioned idiots.
So here’s the action plan:
- Before you take any drastic measures, log out of your PC and try to log back in as Administrator. To do this, at he login screen hit CTRL-ALT-DEL twice and a login window will appear. If you don’t know your Administrator password, find somebody who does. Alternatively, try to log in as another user (if you have another user configured on your PC): there is a slight chance that Bagle only infected your account. When you log in as Administrator or another user, check the Task Manager to see of hldrrr.exe or wintems.exe are running. If they are not – you’re in luck.
- Get Spybot Search & Destroy and see if you can install it. If you can – you’re definitely one lucky SOB. Run a full system scan and see if Spybot finds your Bagle. Now see if you can reinstall your useless antivirus and do a full system scan.
- If this approach fails, then make yourself some coffee: this will take time. The basic steps for removing Bagle from your system are the same as for removing any other virus: 1) kill any processes infected by the virus; 2) delete any infected files from your drive; 3) delete any registry entries that start the virus. Easier said than done. With Bagle the problem starts with #1: there is no simple way of killing infected processes. And, as long as they are running, they will not let you delete anything and any registry changes you make will be promptly overwritten. So you need to access your Windows filesystem without starting Windows.
- Download Knoppix bootable image and burn it to CD.
- Boot from Knoppix CD (without installing it)
- Your Windows drive “C” will be mounted in read-only mode. You need to mount it in read-write mode.
- Go to “C:\WINDOWS\system32\drivers\” and remove “hldrrr.exe”
- Go to “C:\WINDOWS\system32\”, remove “wintems.exe” and “mdelk.exe”
- Remove “srosa.sys” from “C:\Windows\System32\drivers\”
- Remove the “C:\WINDOWS\system32\drivers\down” directory and everything in it.
- Not all of the mentioned files and directories will exist on your system, so delete what you find.
- You can run regedit from Knoppix. So run it and delete the following keys from registry:
- Just for the hell of it, search the registry for “hldrrr” and “wintems”, just in case you missed something. Delete what you find.
- Install Spybot and do a full scan. Let it fix whatever it finds.
- Reinstall your antivirus and do another system scan. Your AV is junk, but maybe it will find something now that the virus is not running.
- Use notepad to open C:\WINDOWS\system32\drivers\etc\hosts. If you see many line looking something like 127.0.0.1 followed by some unknown URL, you need to select all, delete it and then save the empty file. When trying to save you may get “Access Denied” error. Download KillBox, run it, point it to the C:\WINDOWS\system32\drivers\etc\hosts file and tell it to delete the file. Then use Notepad to create an empty “hosts” file in its place (no TXT extension, please). Next time you reboot, check this file one more time: if it’s full of garbage as before, then you still have a virus that keeps repopulating the hosts file.
- It would have been just wonderful if you could scan your Windows drive by connecting it to another computer via an external USB enclosure or something like that. This way the antivirus can do its job unhindered by the virus. This is really the best way to get rid of a virus. Get an external disk enclosure and find a good friend with an up-to-date antivirus and Spybot.
Wireless card not working
It is true: Bagle takes control of your wireless card away from Windows. It does so by turning off the NDIS protocol driver (NDISUIO). This in turn prevents the WZC (Wireless Zero Configuration) service from starting.
- To fix this little problem, go to Start –> Run –> service.msc –> try to start WZC.
- If it fails to start and gives you error 1068, then go to Start –> Run –> regedit –> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisuio –> make sure the Start value is set to 1, 2, or 3 – doesn’t matter which as long as it is not 4.
- Reboot your PC, go to services.msc again and check if WZC is running.
- If it doesn’t, try to start it manually. If it does but you still can’t see any available wireless networks, you will need to reinstall your wireless card driver.
- Make sure you have the original manufacturer driver or setup file for your network card. Got to Control Panel –> System –> Hardware –> Device Manager and under Network Adapters delete your wireless device.
- Reinstall the device using the original driver. Reboot your PC and recreate network configuration (if you are not using DHCP).
How antivirus makers rip you off
The Bagle virus is a “trojan”, implying that, aside from its ability to self-replicate, it has a hidden payload. But what exactly is a difference between a virus and a trojan? None whatsoever. There is a purely artificial distinction concocted by the antivirus industry folks. Why? It’s really simple.
Say, you parted with hard-earned fifty bucks and purchased antivirus software. A week later your computer got infected with Bagle, even though your AV program was installed, updated and fully functional. So you get understandably pissed off and call the antivirus maker. Once they get a general idea of what happened to your PC, they tell you: “Oh, well, this is not a virus – it is a trojan! That’s why our software didn’t catch it.” Unfortunately this bogus excuse is enough to convince most users.
Antivirus makers make much more money than all virus creators put together. So on one side you are being robbed by the hackers and on the other – by the antivirus industry. The antivirus makers don’t really lie to you: they will never tell you that their software will keep your computer 100% secure. They will readily admit that some viruses may slip through. This is like buying an umbrella full of holes: it will block some of the rain, but what’s the point if you are going to get wet anyway?
The sad truth is that the hackers who write these viruses are far more experienced and more talented than the programmers who write antivirus applications. Hackers do this for fun and for good money. For them it’s a form of self expression – a way to show off their skills. The antivirus industry, on the other hand, attracts mediocre programmers with average salaries and a boring job of tracking down and cataloging code written by someone much more talented.