Troj/BagleDl-BJ

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry for each user who ran the virus. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
im_autorn
"<Windows system folder>\im_1.exe"

and delete it if it exists.

Close the registry editor.

Troj/BagleDl-BJ is a Trojan for the Windows platform.

When first run, the Trojan creates the files im_1.exe and im_2.exe in the Windows system folder and then runs them. The Trojan also creates a JPG image in the <Temp> folder with the filename "~<random digit>.jpg" and displays the image. The files im_1.exe and im_2.exe are also detected as Troj/BagleDl-BJ. Troj/BagleDl-BJ is a Trojan for the Windows platform.

When first run, the Trojan creates the files im_1.exe and im_2.exe in the Windows system folder and then runs them. The Trojan also creates a JPG image in the <Temp> folder with the filename "~<random digit>.jpg" and displays the image. The files im_1.exe and im_2.exe are also detected as Troj/BagleDl-BJ.

The Trojan attempts to download files from several remote sites.

The following registry entry is created to run the Trojan each time a user logs on:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
im_autorn
"<Windows system folder>\im_1.exe"

The following registry entry is also created:

HKCU\Software\Microsoft\IME
FirstRun
dword:00000001