Author Topic: Win32: Mugly-C Worm  (Read 14673 times)

0 Members and 1 Guest are viewing this topic.

john36

  • Guest
Win32: Mugly-C Worm
« on: April 16, 2005, 07:06:24 PM »
Hey Guys,

While doing a scan today I was notified that a virus was detected.

It was the "Win32: Mugly-C worm.  It was recommended that I move the virus to the Chest.

I have moved the virus to the Chest and I'm not sure what I should do now.  Do I just leave it in the Chest or delete or remove it from the chest.

Also, I did a search on this worm and supposedly it comes via an e-mail attachment and the download is an old man with a scrunched up face.

Is that correct.  I know I did not download anything like that but other people use the PC so I don't know if they downloaded this or not.

The PC is a Dell 8400 desktop running Win XP MCE 05.

I'm on a home network of 4 PC's and so far just the one PC seems affected.

Thanks for any feed back,
John

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Win32: Mugly-C Worm
« Reply #1 on: April 16, 2005, 07:30:47 PM »
In which file was to detected, exactly?
Was it picked by the on-access scanner, or during a manual scan?
If at first you don't succeed, then skydiving's not for you.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Win32: Mugly-C Worm
« Reply #2 on: April 16, 2005, 07:41:43 PM »
What was the filename, where was it found
  example (C:\windows\system32\infected-filename.xxx)?

Leave it in the chest for there it can do no harm, here you can investigate as you have (if you want to find out more about what it does, etc.) a google search is usually best. It is possible there may be other means of infection or this was found in your old email folders?

After a perion of a week or so there is no adverse effect of having moved the virus to the chest you can delete it from there.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

john36

  • Guest
Re: Win32: Mugly-C Worm
« Reply #3 on: April 16, 2005, 09:02:07 PM »
In which file was to detected, exactly?
Was it picked by the on-access scanner, or during a manual scan?

I was actually running a scan with Microsoft Antispyware and Avast came on during this scan and said this virus had been detected.

It listed the file as:  C:\i386\bszip.dll  and also listed Win32: Mugly-C  and also, C:\windows\system32

I assume this is only one infection.

I then did a manual scan with Avast and it also noted the virus detection.

Besides leaving it in the Chest for a week or so and then deleting, should I be doing anything like changing passwords or deleting personal info.

I spoke with everyone who had access to the PC and nobody remembers downloading an e-mail attachment like this.  Is that possible, considering the graphics of this file?

Thanks again for everyones help,
John

whocares

  • Guest
Re: Win32: Mugly-C Worm
« Reply #4 on: April 16, 2005, 09:25:35 PM »
In which file was to detected, exactly?
Was it picked by the on-access scanner, or during a manual scan?

It listed the file as:  C:\i386\bszip.dll 


In this folder ? this sounds like a false positive -> please submit the file from the chest to ALWIL

What was the FILENAME of the file detected in
C:\windows\system32
? ;)

john36

  • Guest
Re: Win32: Mugly-C Worm
« Reply #5 on: April 16, 2005, 10:02:42 PM »
In which file was to detected, exactly?
Was it picked by the on-access scanner, or during a manual scan?

It listed the file as:  C:\i386\bszip.dll 


In this folder ? this sounds like a false positive -> please submit the file from the chest to ALWIL

What was the FILENAME of the file detected in
C:\windows\system32
? ;)

Right now in my Virus Chest there are 2 entries because I moved one there during the Microsoft Antispyware scan and another one during the Avast manual scan.

I believe they are the same infection.

First entry is "bszip.dll" original location is "C:\windows\system32"  virus is "Win 32: Mugly-C

Second entry is "BSZIP.DLL"  original location is "C:\I386"  virus is "Win 32: Mugly-C

Maybe you could help me as far as sending the file to ALWIL.

During the e-mail wizard it wants to know whether the incoming mail server is pop3 - IMAP - HTTP and then there are two boxes for incoming and outgoing mail.

I know I should know how to fill these boxes out but I'm not sure.  I mainly use a Yahoo account for e-mail.

Thanks again for helping,
John

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Win32: Mugly-C Worm
« Reply #6 on: April 17, 2005, 12:16:33 AM »
1. You will need to move them out of the virus chest to a temporary folder.
2. You can check then the offending/suspect file (you can't check them whilst they are in the chest) at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.

3. If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces).

Give a brief outline of the problem, the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

You will probably find it easier to do this outside of the avast chest, from the moved/temporary location or if you believe them to be a false positive from the original folder (having moved them back).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

john36

  • Guest
Re: Win32: Mugly-C Worm
« Reply #7 on: April 17, 2005, 01:35:20 AM »
DavidR,

Thanks for the info.  I have no idea whether it's a false positive or not.

I just want to be rid of it, whatever it is.

Can someone list a step by step procedure for removal of this virus.

Other Anti virus manufacturer's list step by step removal instructions for this virus, involving editing the registry and other files.  Will I need to do this to get rid of this virus?

You'll have to forgive me but I'm a little challenged when it comes to trying to understand some of this virus stuff.

Please keep it simple and thanks for hanging with me,
John

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Win32: Mugly-C Worm
« Reply #8 on: April 17, 2005, 01:53:02 PM »
Quote
I just want to be rid of it, whatever it is.

If it is a false positive you DON'T WANT to get rid of it, until you are sure it is not, or you could be disabling a program or your system in the worst case.

The blue text in my post is a link to the Jotti site where you can submit the file for checking.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

john36

  • Guest
Re: Win32: Mugly-C Worm
« Reply #9 on: April 17, 2005, 04:52:26 PM »
Quote
I just want to be rid of it, whatever it is.

If it is a false positive you DON'T WANT to get rid of it, until you are sure it is not, or you could be disabling a program or your system in the worst case.

The blue text in my post is a link to the Jotti site where you can submit the file for checking.

That statement I made about wanting to get rid of it whatever it was,  was very stupid and thanks for straightening me out.  I'm a little frazzled.

One last thing before I try the jotti website.

The main problem seems to be the Mugly-C virus and it is mainly located in the "C:\Windows\system32\bszip.dll file.

When Avast detects the file and recommends moving to the Chest, it moves the file to the Chest but somehow the file keeps coming back to the same location.  If the file is in the Chest how can it return to the C:\windows\system32\bszip.dll file?

Also, I tried to run another MSAS scan after moving that file to the Chest and I got a pop up  box from Quick Books with an error message saying " error 1304.  Error writing to file "C:\Windows\system32\bszip.dll.  Verify that you have access to that directory."

One last thing,  Avast also detected another infected file with the Mugly-C virus and it was "A0007078.DLL with a location of C:\system volume information\_restore.

I'm really confused now.  As far as checking these files at the jotti site, can I just create a new file on the desktop and name it virus and move the infected files from the Chest to this new file and check them from there at jotti's site?

I really appreciate all the help and I'm sorry for all the long posts.  Hopefully, we will figure out what's going on.

John

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Win32: Mugly-C Worm
« Reply #10 on: April 17, 2005, 05:34:02 PM »
Windows xp is clever but also dumb, when you remove/delete something from one of the system folders, windows xp in its infinite wisdom saves a copy of it using system restore, these are saved in the protected storage area System Volume Information, in restore points like the instance you gave (in case you deleted it by mistake, this makes life difficult when it comes to getting rid of virus infection).

Disable system restore, this removes all restore points after you reboot they are gone. When you are in the clear then you can enable system restore again.
Win XP-ME - How to disable System Restore

You can create a new temporary folder on your C: drive (in explorer), the name is unimportant 'VirusCheck', etc. move the file you want to check there (if it is in the avast chest), if it is still in the same place it was found, C:\Windows\system32\bszip.dll file, then there is no need to move it. The only reason for moving it was if it is in the avast chest, Jotti can't scan it there (avast protects that area).

Once a file is outside avast's chest it can be scanned by Jotti, click on the Browse button on the page and navigate (a little like explorer's tree structure) to where the suspect file is and then you can submit it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

atmlt

  • Guest
Re: Win32: Mugly-C Worm
« Reply #11 on: April 17, 2005, 06:29:46 PM »

 "Win32: Mugly-C worm.  It was recommended that I move the virus to the Chest.

The PC is a Dell 8400 desktop running Win XP MCE 05.

John
Quote

I have almost identical problem as John with mugly worm.
It arrived yesterday and was in same files also quickbooks, which I opened briefly 1st time with this new computer. (same as above)
I was surprised when worm was again detected upon booting up this morn, since I thought it contained in Chest.
John, please let me know if suggestions worked for you, since I'll have to do same with mine, being so identical.
thanks

john36

  • Guest
Re: Win32: Mugly-C Worm
« Reply #12 on: April 17, 2005, 07:29:17 PM »
Windows xp is clever but also dumb, when you remove/delete something from one of the system folders, windows xp in its infinite wisdom saves a copy of it using system restore, these are saved in the protected storage area System Volume Information, in restore points like the instance you gave (in case you deleted it by mistake, this makes life difficult when it comes to getting rid of virus infection).

Disable system restore, this removes all restore points after you reboot they are gone. When you are in the clear then you can enable system restore again.
Win XP-ME - How to disable System Restore

You can create a new temporary folder on your C: drive (in explorer), the name is unimportant 'VirusCheck', etc. move the file you want to check there (if it is in the avast chest), if it is still in the same place it was found, C:\Windows\system32\bszip.dll file, then there is no need to move it. The only reason for moving it was if it is in the avast chest, Jotti can't scan it there (avast protects that area).

Once a file is outside avast's chest it can be scanned by Jotti, click on the Browse button on the page and navigate (a little like explorer's tree structure) to where the suspect file is and then you can submit it.

DavidR.

I did as you suggested and moved the files to a new folder in C:\virus check.

I then tried to upload them to the jotti web site and got this message "The file you uploaded is 0 bytes.  It is very likely a firewall or a piece of malware is prohibiting you from uploading the file."

I then shut down Zone Alarm and tried again to upload the files but I still get the same error message from jotti's.

Any other suggestions?  I'm lost here.

atmlt,  If I ever figure out this problem I will surely let you know.

John

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Win32: Mugly-C Worm
« Reply #13 on: April 17, 2005, 08:04:14 PM »
Quote
Any other suggestions?  I'm lost here.

What is the file size on your HDD check with explorer (you may well have avast alarm when you check the folder)?

I doubt it is zero bytes, you may have pointed Jotti at the 'c:\virus check' folder and not at the file you put into the folder 'c:\virus check\suspectfile.x??'.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

john36

  • Guest
Re: Win32: Mugly-C Worm
« Reply #14 on: April 17, 2005, 08:22:18 PM »
DavidR,

The Avast alarm does go off when I check these files.

I put 3 different files into this folder and each file has a size of 52kb.

When trying to upload to Jotti's I made sure the path was correct.  IE:  C:\virus check\bszip.dll and I continue to get the same error message.

The folder that these 3 files are in is 156kb.

John