Win32: Mugly-C Worm

Hey Guys,

While doing a scan today I was notified that a virus was detected.

It was the "Win32: Mugly-C worm. It was recommended that I move the virus to the Chest.

I have moved the virus to the Chest and I’m not sure what I should do now. Do I just leave it in the Chest or delete or remove it from the chest.

Also, I did a search on this worm and supposedly it comes via an e-mail attachment and the download is an old man with a scrunched up face.

Is that correct. I know I did not download anything like that but other people use the PC so I don’t know if they downloaded this or not.

The PC is a Dell 8400 desktop running Win XP MCE 05.

I’m on a home network of 4 PC’s and so far just the one PC seems affected.

Thanks for any feed back,
John

In which file was to detected, exactly?
Was it picked by the on-access scanner, or during a manual scan?

What was the filename, where was it found
example (C:\windows\system32\infected-filename.xxx)?

Leave it in the chest for there it can do no harm, here you can investigate as you have (if you want to find out more about what it does, etc.) a google search is usually best. It is possible there may be other means of infection or this was found in your old email folders?

After a perion of a week or so there is no adverse effect of having moved the virus to the chest you can delete it from there.

I was actually running a scan with Microsoft Antispyware and Avast came on during this scan and said this virus had been detected.

It listed the file as: C:\i386\bszip.dll and also listed Win32: Mugly-C and also, C:\windows\system32

I assume this is only one infection.

I then did a manual scan with Avast and it also noted the virus detection.

Besides leaving it in the Chest for a week or so and then deleting, should I be doing anything like changing passwords or deleting personal info.

I spoke with everyone who had access to the PC and nobody remembers downloading an e-mail attachment like this. Is that possible, considering the graphics of this file?

Thanks again for everyones help,
John

In this folder ? this sounds like a false positive → please submit the file from the chest to ALWIL

What was the FILENAME of the file detected in
C:\windows\system32
? :wink:

Right now in my Virus Chest there are 2 entries because I moved one there during the Microsoft Antispyware scan and another one during the Avast manual scan.

I believe they are the same infection.

First entry is “bszip.dll” original location is “C:\windows\system32” virus is "Win 32: Mugly-C

Second entry is “BSZIP.DLL” original location is “C:\I386” virus is "Win 32: Mugly-C

Maybe you could help me as far as sending the file to ALWIL.

During the e-mail wizard it wants to know whether the incoming mail server is pop3 - IMAP - HTTP and then there are two boxes for incoming and outgoing mail.

I know I should know how to fill these boxes out but I’m not sure. I mainly use a Yahoo account for e-mail.

Thanks again for helping,
John

  1. You will need to move them out of the virus chest to a temporary folder.

  2. You can check then the offending/suspect file (you can’t check them whilst they are in the chest) at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.

  3. If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces).

Give a brief outline of the problem, the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

You will probably find it easier to do this outside of the avast chest, from the moved/temporary location or if you believe them to be a false positive from the original folder (having moved them back).

DavidR,

Thanks for the info. I have no idea whether it’s a false positive or not.

I just want to be rid of it, whatever it is.

Can someone list a step by step procedure for removal of this virus.

Other Anti virus manufacturer’s list step by step removal instructions for this virus, involving editing the registry and other files. Will I need to do this to get rid of this virus?

You’ll have to forgive me but I’m a little challenged when it comes to trying to understand some of this virus stuff.

Please keep it simple and thanks for hanging with me,
John

I just want to be rid of it, whatever it is.

If it is a false positive you DON’T WANT to get rid of it, until you are sure it is not, or you could be disabling a program or your system in the worst case.

The blue text in my post is a link to the Jotti site where you can submit the file for checking.

That statement I made about wanting to get rid of it whatever it was, was very stupid and thanks for straightening me out. I’m a little frazzled.

One last thing before I try the jotti website.

The main problem seems to be the Mugly-C virus and it is mainly located in the "C:\Windows\system32\bszip.dll file.

When Avast detects the file and recommends moving to the Chest, it moves the file to the Chest but somehow the file keeps coming back to the same location. If the file is in the Chest how can it return to the C:\windows\system32\bszip.dll file?

Also, I tried to run another MSAS scan after moving that file to the Chest and I got a pop up box from Quick Books with an error message saying " error 1304. Error writing to file “C:\Windows\system32\bszip.dll. Verify that you have access to that directory.”

One last thing, Avast also detected another infected file with the Mugly-C virus and it was "A0007078.DLL with a location of C:\system volume information_restore.

I’m really confused now. As far as checking these files at the jotti site, can I just create a new file on the desktop and name it virus and move the infected files from the Chest to this new file and check them from there at jotti’s site?

I really appreciate all the help and I’m sorry for all the long posts. Hopefully, we will figure out what’s going on.

John

Windows xp is clever but also dumb, when you remove/delete something from one of the system folders, windows xp in its infinite wisdom saves a copy of it using system restore, these are saved in the protected storage area System Volume Information, in restore points like the instance you gave (in case you deleted it by mistake, this makes life difficult when it comes to getting rid of virus infection).

Disable system restore, this removes all restore points after you reboot they are gone. When you are in the clear then you can enable system restore again.
Win XP-ME - How to disable System Restore

You can create a new temporary folder on your C: drive (in explorer), the name is unimportant ‘VirusCheck’, etc. move the file you want to check there (if it is in the avast chest), if it is still in the same place it was found, C:\Windows\system32\bszip.dll file, then there is no need to move it. The only reason for moving it was if it is in the avast chest, Jotti can’t scan it there (avast protects that area).

Once a file is outside avast’s chest it can be scanned by Jotti, click on the Browse button on the page and navigate (a little like explorer’s tree structure) to where the suspect file is and then you can submit it.

"Win32: Mugly-C worm. It was recommended that I move the virus to the Chest.

The PC is a Dell 8400 desktop running Win XP MCE 05.

John

I have almost identical problem as John with mugly worm.
It arrived yesterday and was in same files also quickbooks, which I opened briefly 1st time with this new computer. (same as above)
I was surprised when worm was again detected upon booting up this morn, since I thought it contained in Chest.
John, please let me know if suggestions worked for you, since I’ll have to do same with mine, being so identical.
thanks

DavidR.

I did as you suggested and moved the files to a new folder in C:\virus check.

I then tried to upload them to the jotti web site and got this message “The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading the file.”

I then shut down Zone Alarm and tried again to upload the files but I still get the same error message from jotti’s.

Any other suggestions? I’m lost here.

atmlt, If I ever figure out this problem I will surely let you know.

John

Any other suggestions? I'm lost here.

What is the file size on your HDD check with explorer (you may well have avast alarm when you check the folder)?

I doubt it is zero bytes, you may have pointed Jotti at the ‘c:\virus check’ folder and not at the file you put into the folder ‘c:\virus check\suspectfile.x??’.

DavidR,

The Avast alarm does go off when I check these files.

I put 3 different files into this folder and each file has a size of 52kb.

When trying to upload to Jotti’s I made sure the path was correct. IE: C:\virus check\bszip.dll and I continue to get the same error message.

The folder that these 3 files are in is 156kb.

John

DavidR,

I also used notepad to create a .txt file and then moved this .txt file to a new folder located in C:\testing\jotti.

I then went to Jotti’s site and uploaded this file with no problems. Of course no infections were found with any of the scanners.

So, I know that Zone Alarm is not the problem.

John

Are the files still in the avast chest?
How did you get them out of the chest into c:\virus check?

Files in the chest are I think encrypted so if you copied them to c:\virus chest\ using explorer they could be encrypted and Jotti won’t scan them, perhaps this is why they are reported as 0 bytes, I don’t know, I have never heard of this before.

If you have the files in the chest you can restore them using the Chest, Menu, File, Restore, that should put them back where they were originally. Then you could try Jotti again using the original location. Sorry I’m running out of ideas too.

DavidR,

I got them out of the Chest by extracting them to the “virus check” folder.

I did as you suggested and went back to the Chest and picked one of the files and restored it to it’s original location, "C:\Windows\system32\BSZIP.DLL and then went back to Jotti’s site and tried to upload the file from this original location and still got the same error message.

I appreciate all your help.

So, now I have these virus files in 3 places that I know of.

  1. The Chest 2. C:\virus check 3. C:\Windows\system32\BSZIP.DLL.

I also have system restore turned off as well as Zone Alarm.

I know your running out of ideas as well so do you know of anywhere else I could get some answers?

Hi John,
of cause you need to PAUSE avast Shield(s) when you try to upload this stuff;
otherwise avast will BLOCK access to the file (as is his job)

:wink:

Hi whocares,

Do I pause all providers or just certain ones?

Why would I be able to upload the .txt file I created and not have to pause Avast’s shields but you’re saying to upload the suspected infected files I need to pause Avast’s shields.

Thanks for helping,
John