The following forwarded message is from Joe Stewart to TH-Research (The Trojan Horses Research Mailing List).
In it Joe explains of a way for admins (or anybody really) to easily and massively remove Bagle infections from their networks.
There are other ways to do this, but this is the most simple that I saw thus far.
Thanks again to Joe for all his work. Drop him a thank-you note if this helps you, he's a good guy!
Gadi Evron
The Trojan Horses Research Mailing List - http://ecompute.org/th-list
From: Joe Stewart <jstewart@lurhq.com> To: TH-Research Subject: [TH-research] Bagle remote uninstall Date: Tue, 20 Jan 2004 17:19:41 -0500
Mail from Joe Stewart <jstewart@lurhq.com>
If you can't wait till January 28, Bagle has a remote uninstall command which can be sent over port 6777, the port also used to upload the second stage.
For instance, using perl and netcat, you could send the uninstall command with the one-liner below: perl -e 'print "\x43\xff\xff\xff\x00\x00\x00\x00\x0412\x00"' \ | nc infected_host_IP 6777
When the command bytes above are received by an infected host, the virus will exit and delete its executable (using a batch script after the fact). The registry keys are not removed.
-Joe
--
Gadi Evron,
ge@linuxbox.org.The Trojan Horses Research mailing list - http://ecompute.org/th-list
My resume (Hebrew) - http://www.math.org.il/resume.rtf
PGP key for ge@linuxbox.org -
http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
Note: this key is used mainly for files and attachments, I sign email messages using:
http://vapid.reprehensible.net/~ge/Gadi_Evron_sign.asc
