McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32_BAGLE.W (Trend)

Characteristics

-- Update November 23, 2005 --

A third new Bagle downloader has been received - again spammed out to users. This is also detected with the 4635 DATs as W32/Bagle.gen@MM . More details on these recent Bagle downloaders is posted here .

-- Update November 23, 2005 --

Two new Bagle downloaders have been spammed widely to users. They are likely to be received as a file named 1.EXE. Detection will be added to the 4635 DATs as W32/Bagle.gen@MM . More details are posted here .

-- Update April 14, 2005 --
There was a recent mass-mailing of a new Bagle downloader trojan variant.  It was sent in email messages containing .RAR attachments (MD5: 0x41f4e23f96dbf7c3f02f88ab179ae124), such as:

• Price.rar
• It_about_you.rar
• Forest.rar
• Fairy_tale.rar

Inside the RAR archives is a file named 123.EXE (MD5: 0xdd6290422f7dec38ab5227767d3e5696).  This file is detected as W32/Bagle.gen@MM with existing dat files [no update is required].  The EXE file installs a file that is detected as W32/Bagle.dll.gen with existing DAT files.  The goal of this dropped file is to terminate security software, overwrite the HOSTS file to prevent access to certain websites, and to check a list of 153 different websites, to download a file named osa.gif.  At the time of this writing, osa.gif was not present on any of the 153 servers.
--

This is a generic detection for several W32/Bagle variants. This worm spreads by mass mailing, normally installing a backdoor component on the infected machine. This backdoor component can be used by the virus author to either update the infection to a later version, or conversely can be updated to be used for sending "spam".

-- Update April 6, 2004 10:35 PST--
A new Bagle variant W32/Bagle.w@MM has been identified by Trend Micro. This is identified as W32/Bagle.gen@MM with compressed files scanning enabled from the 4333 DATs.

Symptoms

Method of Infection

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32_BAGLE.W (Trend)

Characteristics

Characteristics -

-- Update November 23, 2005 --

A third new Bagle downloader has been received - again spammed out to users. This is also detected with the 4635 DATs as W32/Bagle.gen@MM . More details on these recent Bagle downloaders is posted here .

-- Update November 23, 2005 --

Two new Bagle downloaders have been spammed widely to users. They are likely to be received as a file named 1.EXE. Detection will be added to the 4635 DATs as W32/Bagle.gen@MM . More details are posted here .

-- Update April 14, 2005 --
There was a recent mass-mailing of a new Bagle downloader trojan variant.  It was sent in email messages containing .RAR attachments (MD5: 0x41f4e23f96dbf7c3f02f88ab179ae124), such as:

• Price.rar
• It_about_you.rar
• Forest.rar
• Fairy_tale.rar

Inside the RAR archives is a file named 123.EXE (MD5: 0xdd6290422f7dec38ab5227767d3e5696).  This file is detected as W32/Bagle.gen@MM with existing dat files [no update is required].  The EXE file installs a file that is detected as W32/Bagle.dll.gen with existing DAT files.  The goal of this dropped file is to terminate security software, overwrite the HOSTS file to prevent access to certain websites, and to check a list of 153 different websites, to download a file named osa.gif.  At the time of this writing, osa.gif was not present on any of the 153 servers.
--

This is a generic detection for several W32/Bagle variants. This worm spreads by mass mailing, normally installing a backdoor component on the infected machine. This backdoor component can be used by the virus author to either update the infection to a later version, or conversely can be updated to be used for sending "spam".

-- Update April 6, 2004 10:35 PST--
A new Bagle variant W32/Bagle.w@MM has been identified by Trend Micro. This is identified as W32/Bagle.gen@MM with compressed files scanning enabled from the 4333 DATs.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

N/A