Where can I find a tool to clean Bagle32 from my system?

Hi musselgirl,

I assume you mean Beagle32 because there is no tool to remove anything
named 'Bagle32'.


W32.Beagle@mm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html

Download the FxBeagle.exe file from:
http://securityresponse.symantec.com/avcenter/FxBeagle.exe.

Save the file to a convenient location, such as your downloads folder
or the Windows desktop, or removable media known to be uninfected.

To check the authenticity of the digital signature, refer to the
"Digital signature" section later in this writeup.
Close all the running programs before running the tool. 
If you are on a network or if you have a full-time connection to the
Internet, disconnect the computer from the network and the Internet.
If you are running Windows Me or XP, then disable System Restore.
Refer to the "System Restore option in Windows Me/XP" section later in
this writeup for further details.

Caution: If you are running Windows Me/XP, we strongly recommend that
you do not skip this step.

Double-click the FxBeagle.exe file to start the removal tool. 
Click Start to begin the process, and then allow the tool to run. 
Restart the computer. 
Run the removal tool again to ensure that the system is clean. 
If you are running Windows Me/XP, then reenable System Restore. 
Run LiveUpdate to make sure that you are using the most current virus definitions.

=================================================

Windows Virus Removal Tools 
http://www.cmu.edu/computing/security/latest/bulletins/virus.tools.htm

W32.Beagle@mm - January 19, 2004
Symantec Security Response has developed a removal tool to clean
infections of the following Beagle variants:

* W32.Beagle.A@mm
* W32.Beagle.B@mm
* W32.Beagle.C@mm
* W32.Beagle.E@mm
* W32.Beagle.F@mm
* W32.Beagle.G@mm
* W32.Beagle.H@mm
* W32.Beagle.I@mm
* W32.Beagle.J@mm
* W32.Beagle.K@mm
* W32.Beagle.U@mm
* W32.Beagle.W@mm
* W32.Beagle.X@mm

Detailed Instructions for running this tool are available from:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html

* Beagle Removal Tool
http://www.cmu.edu/computing/security/latest/patches/FxBeagle.exe

If you've been notified your PC has the Beagle virus and the above
removal tool does not find it, try this one below:

Symantec Security Response has developed a removal tool to clean
infections for the following variants of the Beagle family:

* W32.Beagle.M@mm
* W32.Beagle.N@mm
* W32.Beagle.O@mm

* Beagle M/N/O Removal Tool
http://www.cmu.edu/computing/security/latest/patches/FxBgleMNO.exe

=================================================

FxBeagle.exe - Symantec file to find/repair Beagle32 trojan 
http://calhounalumni.org/FxBeagle.exe


Best regards,
tlspiegel

Virus Information 
Name: W32/Bagle.ad@MM 
Risk Assessment   
  - Home Users: Medium 
  - Corporate Users: Medium 
Date Discovered: 7/4/2004 
Date Added: 7/4/2004 
Origin: Unknown 
Length: approx 62kB (UPXed)
Appended garbage 
Type: Virus 
SubType: E-mail 
DAT Required: 4373 
 



The risk assessment of this threat has been upgraded to Low-Profiled
due to media attention at:

http://news.zdnet.co.uk/internet/security/0,39020375,39159596,00.htm 


-- 

This is a mass-mailing worm with the following characteristics:

contains its own SMTP engine to construct outgoing messages 
harvests email addresses from the victim machine 
the From: address of messages is spoofed 
attachment can be a password-protected zip file, with the password
included in the message body (as plaintext or within an image).
contains a remote access component (notification is sent to hacker) 
copies itself to folders that have the phrase shar in the name (such
as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
uses various mutex names selected from those W32/Netsky variants have
used, in order to prevent those W32/Netsky variants running on
infected machines.
the sample is packed with UPX runtime compressor. 
Note: The worm carries its source code (assembler) in its body,
encrypted. When mass-mailing itself, the worm may also include a copy
of the source code (within a ZIP archive, SOURCES.ZIP). It is not
unlikely therefore that we will see further trivial variants based on
this source. Though various differences may be expected, the following
parameters are most likely (easy) to be modified:

port number used by backdoor 
backdoor password 
date of 'expiry' 
Mail Propagation 

The details are as follows:

From : (address is spoofed) 
Subject : 

Re: Msg reply 
Re: Hello 
Re: Yahoo! 
Re: Thank you! 
Re: Thanks :) 
RE: Text message 
Re: Document 
Incoming message 
Re: Incoming Message 
RE: Incoming Msg 
RE: Message Notify 
Notification 
Changes.. 
Update 
Fax Message 
Protected message 
RE: Protected message 
Forum notify 
Site changes 
Re: Hi 
Encrypted document,0 
Body Text: 

Various message bodies are used, in some cases containing the password
for an encrypted attachment (either in plaintext, or within an image).

Attachment: 

The following filenames are used: 
Information 
Details 
text_document 
Updates 
Readme 
Document 
Info 
Details 
MoreInfo 
Message 
using one the following extensions:

Script dropper - using one of the following file extensions: 
HTA 
VBS 
Executable, using one of the following file extensions: 
exe 
scr 
com 
cpl 
Executable dropper, CPL file with .CPL file extension. 
If the attachment is a ZIP file, the archive may be encrpyted
(password protected). The password is contained in the message body
(plaintext or image).

Installation 

The virus copies itself into the Windows System directory as
LOADER_NAME.EXE. For example:

C:\WINNT\SYSTEM32\loader_name.exe 
It also creates copies of itself (with differing appended garbage) in
this directory to perform its functions:

loader_name.exeopen 
loader_name.exeopenopen 
The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
"reg_key " = "C:\WINNT\System32\loader_name.exe" 
A mutex is created to ensure only one instance of the worm is running
at a time. One of the following mutex names is used in an attempt to
stop particular variants of W32/Netsky running on the infected
machine:

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D 
'D'r'o'p'p'e'd'S'k'y'N'e't' 
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_ 
[SkyNet.cz]SystemsMutex 
AdmSkynetJklS003 
____--->>>>U<<<<--____ 
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_ 
This worm attempts to terminate the processes of various security
programs (and other worms).

The worm opens port 1234 (TCP) on the victim machine.

Use Mcafee to remove it

Hi musselgirl,

Please DO pay attention to my answer, and not to the comment by
corwin02 who is not a researcher.

My answer is correct and here is further information for you.

(Beagle is Also Known As:  I-Worm.Bagle [Kaspersky], WORM_BAGLE.A
[Trend], W32/Bagle-A [Sophos], W32/Bagle@MM [McAfee], Win32.Bagle.A
[Computer Associates]

Monday, 19 January 2004 
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html
W32.Beagle.A@mm is a mass-mailing worm that accesses remote Web sites
and sends email to any addresses it finds using its own SMTP engine.
The email has the following characteristics:

[edit]

Also Known As:  I-Worm.Bagle [Kaspersky], WORM_BAGLE.A [Trend],
W32/Bagle-A [Sophos], W32/Bagle@MM [McAfee], Win32.Bagle.A [Computer
Associates]
  
Type:  Worm 
Infection Length:  15,872 bytes 
  
Systems Affected:  Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP
Systems Not Affected:  DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x 

The worm will only work until January 28, 2004 (See Note in step 1 in
the "Technical Details" section below).

Symantec Security Response has developed a removal tool to clean the
infections of W32.Beagle.A@mm.
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html


Best regards,
tlspiegel