BART doesn't clean "win32:beagle family"

[dancerdog3]

I am using BART to clean a system with  a virus.  Norton detected it as "W32.Beagle.M@mm"  

So I ran BART.  I used Servant Salamander  and deleted the infected filed from all the directories that have "SHAR" in them.  Then, I edited the registry to get rid of the winupd.exe and I deleted the winupd.exe file from the /system32/ directory.

Then I ran the virus scan in BART.  It detected the "win32:Beagle family" in a lot of files, but could not clean them or delete them.  I don't think I want to delete them because they are all .exe files and most of them appear to be useful.

Any usefull ideas on how best to deal with Beagle viruses?  

[w0mbat]

This is just the way I do it, and may not be the best.

download the worm removal tool for it here

http://securityresponse.symantec.com/avcenter/FxBgleMO.exe

What the tool does

The W32.Beagle.M-O@mm Removal Tool does the following:
Terminates the W32.Beagle.M-O@mm viral processes
Repairs any files infected by W32.Beagle.M-O@mm
Deletes any copies of the worm that have been created on the system, including password-protected zip files or password-protected rar files containing the worm.
Deletes the registry values added by the worm

Infected computer.
Boot into safe mode, turn off system restore if it has it.
re-boot into safe mode again.
run the worm removal tool, read the log.
re-boot again into safe mode. re-run the tool. Read the log.
if all clear boot into normal mode.

Let us know how this goes for you.

w0mbat

[dancerdog3]

I think the Beagle is finally gone.

I booted with BART and ran the FxBgleMO.exe Beagle removal tool by Symantec from within the BART environmnet.  

Then I booted into Safe Mode and ran it again.

Then I booted into normal mode and ran the Nortan Anti Virus to clean the remaining infected files.  This seemed to work.

This system was had the typical Beagle things...  The same virus files in the "SHAR" folder, winupd.exe being called form the registry.  But, also a lot of other .exe files got infected.  The FxBgleMO.exe tool took care of the Beagle virus files, but not the other .exe files that were infected.  THe NAV scan at the end cleaned up the .exe files.

The system is now clean, after many scans and reboots.  I think it would have been easier if BART included better virus cleaning capability.
-----------------------------
One interesting thing about this is that the virus did not arrive via email.  I was moving an old HDD to a new PC.  The new PC had NAV and XP and everythiing up to date.  I added the old HDD and used NAV to scan it.  THen the problems started.  Somehow the Beagle virus worked its' was from the old HDD to the new one during the virus scan.

[w0mbat]

Hey Dancerdog3,

BART is a really good product, but nothing can be all solutions to everyone. The result if you try to do that is Any MS product.
Holes tied together with string.
Some worms you just have to use these specialy made removal tools in order to clean them.
At least BART provides an clean enviroment with which to use them.

Reading through

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.m@mm.html

beagle can spread through shared folders, and it disables the A/V product.

Good ridance to it.

Have a good weekend....

--Steve

[dancerdog3]

I agree.  BART did give a clean environment to work in.  Without that, this problem would have taken much more time to deal with.  I think BART is a great product and it makes my life easier.
I hate Beagle virus/worms.

BART ROCKS!    

[Vlk]

In fact, avast BART can do much better than you have seen. That's because a number of infections can actually be cleaned directly from its environment (with no need of third party tools and/or sequential boots to safe mode) - unfortunately this is not the case with Beagle.M
(for Beagles, this currently applies to variants A-L, U, W-Z and AA-AH).

Thanks,
Vlk

[w0mbat]

Hi Vlk,

Ok, here is a wishlist item for BART.

In the EDIT area after a full scan has been completed and we edit the list of found infected files, it would be nice to have an indicator on the files that BART can repair rather than just delete.

thanks

--Steve