McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This variant of W32/Bagle functions almost identically to the .F variant.  There are two differences:

• The executable has been repackaged
• One of the processes the virus attempts to terminate has been altered
  • OUTPOST.EXE -> OUTPOS1T.EXE

Like its predecessors, this worm checks the system date. If it is the 25th March 2005 or later, the worm simply exits and does not propagate.

For all remaining details see the W32/Bagle.f@MM description

Symptoms

See the W32/Bagle.f@MM description

Method of Infection

See the W32/Bagle.f@MM description

Removal

All Users :
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
2. Delete the file following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
   go54o.exe
   i1ru54n4.exe     
   ii5nj4.exe
   i1ru54n4.exeopen
3. Edit the registry
   • Delete the "rate.exe" value from
     • HKEY_CURRENT_USER\Software\Microsoft\
       Windows\CurrentVersion\Run
   • Delete the key
     • HKEY_CURRENT_USER\Software\winword
4. Reboot the system into Default Mode

Sniffer Customers:
Filters have been developed that will look for traffic for the .G, .H and .J variants of W32/Bagle [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

• W32_Bagle.h@MM Sniffer Filters.zip

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This variant of W32/Bagle functions almost identically to the .F variant.  There are two differences:

• The executable has been repackaged
• One of the processes the virus attempts to terminate has been altered
  • OUTPOST.EXE -> OUTPOS1T.EXE

Like its predecessors, this worm checks the system date. If it is the 25th March 2005 or later, the worm simply exits and does not propagate.

For all remaining details see the W32/Bagle.f@MM description

Symptoms

Symptoms -

See the W32/Bagle.f@MM description

Method of Infection

Method of Infection -

See the W32/Bagle.f@MM description

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
2. Delete the file following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
   go54o.exe
   i1ru54n4.exe     
   ii5nj4.exe
   i1ru54n4.exeopen
3. Edit the registry
   • Delete the "rate.exe" value from
     • HKEY_CURRENT_USER\Software\Microsoft\
       Windows\CurrentVersion\Run
   • Delete the key
     • HKEY_CURRENT_USER\Software\winword
4. Reboot the system into Default Mode

Sniffer Customers:
Filters have been developed that will look for traffic for the .G, .H and .J variants of W32/Bagle [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

• W32_Bagle.h@MM Sniffer Filters.zip

Variants

Variants -

N/A