
F - B A G L E
-------------

The F-Bagle utility disinfects computers infected with the 
following Bagle worm variants:

 W32/Bagle.A@mm
 W32/Bagle.B@mm
 W32/Bagle.C@mm
 W32/Bagle.D@mm
 W32/Bagle.E@mm
 W32/Bagle.F@mm
 W32/Bagle.G@mm
 W32/Bagle.H@mm
 W32/Bagle.I@mm
 W32/Bagle.J@mm
 W32/Bagle.K@mm
 W32/Bagle.L@mm
 W32/Bagle.M@mm
 W32/Bagle.O@mm
 W32/Bagle.U@mm
 W32/Bagle.V@mm
 W32/Bagle.W@mm
 W32/Bagle.X@mm
 W32/Bagle.Y@mm
 W32/Bagle.Z@mm
 W32/Bagle.AL@mm
 W32/Bagle.AC 
 W32/Bagle.AF@mm 
 W32/Bagle.AH@mm 
 W32/Bagle.AI@mm 
 W32/Bagle.AN@mm 
 W32/Bagle.AO@mm 
 W32/Bagle.AT@mm 
 W32/Bagle.AU@mm 
 W32/Bagle.AV@mm ("test version")
 W32/Bagle.AX@mm
 W32/Bagle.AY@mm
 Email-Worm.Win32.Bagle.ba
 Email-Worm.Win32.Bagle.bb
 Email-Worm.Win32.Bagle.bc
 Email-Worm.Win32.Bagle.pac (1 variant)

Additionally the utility removes the following Mitglieder proxy 
trojan variants that are dropped by Bagle worms:

 W32/Mitglieder.S
 W32/Mitglieder.T
 W32/Mitglieder.AA
 W32/Mitglieder.AJ
 W32/Mitglieder.AG
 W32/Mitglieder.AV

Please note that the utility does not disinfect Bagle.N, Bagle.P,
Bagle.Q, Bagle.R, Bagle.S and Bagle.T variants because of the
polymorphic nature of their viral component.


Disinfection procedure should be as follows:

1. Unpack the F-Bagle utility from the provided ZIP archive 
either with WinZip or PkUnzip utilities. A trial version of 
WinZip archiver can be downloaded from the following website:

http://www.winzip.com/ddchomea.htm
                                   
2. Close all running applications and run the unpacked 
F-Bagle.exe file from a hard disk to eliminate the infection. You 
can run the utility by either doubleclicking on it from Windows 
Explorer or you can start it from a command interpreter 
(COMMAND.COM or CMD.EXE) by typing its name at command prompt and 
pressing 'Enter' (for advanced users).

First the F-Bagle utility will kill Bagle worm's and Mitglieder 
trojan's processes in memory. Then the utility will remove 
Registry entries created by the worm. Finally the utility will 
scan all hard drives for infected files and delete them.

3. Restart a computer. After restart your system should be clean.


You can get a trial version of F-Secure Anti-Virus and the latest 
updates for it from our website:

http://www.europe.f-secure.com/download-purchase/list.shtml
http://www.europe.f-secure.com/download-purchase/updates.shtml


IMPORTANT NOTES
---------------

During disinfection of some Bagle worm variants the utility will 
have to temporarily close Explorer.exe file (one of the main 
Windows components) that will result in disappearing of all icons 
on a desktop and a taskbar on the bottom of the screen. This is 
normal, the tool will restart Explorer.exe file as soon as 
scanning of a hard drive is finished. Also in some cases a new
Explorer window may appear after disinfection. This is also a
normal behaviour.

If a computer with Windows NT, 2000 or XP system is being 
disinfected, please log in as Administrator or as a user with 
local admin rights, otherwise the F-Bagle utility might not 
disinfect the system correctly.

If you have Windows ME or XP, it is recommended to disable System 
Restore feature of these operating systems to prevent your 
computer from re-infection with Bagle worm. The fact is that 
System Restore feature of these operating systems might save the 
infected file into the special folder and copy it back to a hard 
drive it every time it's been deleted by F-Bagle utility. The 
instructions on how to disable System Restore feature are here:

Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

If you have any problems using this utility please contact us on 
'anti-virus-support@f-secure.com' address.

Copyright (C) 2005 F-Secure Corporation. All rights reserved.
