If you go to Norton's or McAfee's site, you can get a cleaning tool. It surely can't hurt to download and run it - even if you don't have Bagle.
Here is the link for McAffee's tool:
http://vil.nai.com/vil/stinger
From the web site:
Mail Propagation
The virus which is downloaded contains the propagation code. The details are as follows:
From : (address is spoofed)
Subject : (blank)
Body Text:
new price
There is indication in the file that it may also try to password-protect some ZIP files, in which case it will add one of the following to the message body:
The password is
Password:
The password will then be contained in an embedded image file.
Attachment: (may be one of the following)
price.zip
price2.zip
price_new.zip
price_08.zip
08_price.zip
newprice.zip
new_price.zip
new__price.zip
The ZIP file contains PRICE.EXE and PRICE.HTML, as described above.
If the ZIP file is opened with Windows Explorer (rather than a stand-alone ZIP handler such as WinZip or PKzip) the HTML file will be visible along with a folder which contains the EXE file. When the HTML file is run on a vulnerable system, it will run the EXE file.
When the EXE file is run (either manually or automatically by the HTML file), it will copy itself to the Windows System directory as WINDIRECT.EXE. For example:
C:\WINNT\SYSTEM32\WINdirect.exe
It also drops a DLL file in this directory:
_dll.exe
The DLL file is injected into the Explorer.exe process, so its actions will appear to have originated from Explorer.exe.
The following Registry keys are added to hook system startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe
Once the virus executable is downloaded and run by the downloader trojan, the virus copies itself into the Windows System directory as WINDLL.EXE . For example:
C:\WINNT\SYSTEM32\windll.exe
It also creates other files in this directory to perform its functions:
C:\WINNT\SYSTEM32\windll.exeopen
C:\WINNT\SYSTEM32\windll.exeopenopen
The following Registry key is added to hook system startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "erthgdr" = "C:\WINNT\SYSTEM32\windll.exe"
Additionally, the following Registry keys are added:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Ru1n
A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
The worm opens port 80 (TCP) and a random UDP port on the victim machine.
Top of Page
Symptoms
Port 80 (TCP) open on the victim machine
Outgoing messages matching the described characteristics
Files/Registry keys as described