McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This variant is detected as W32/Bagle.gen@MM using the 4333 DATS (with the scanning of compressed files enabled).

This variant does not mass-mail like previous variants.

It attempts to connect to various German and Russian websites and acts as a mail relay.

It attempts to disable various Antivirus programs.

Symptoms

The following files are dropped on to the %SYSDIR% folder:

• System.exe - 19, 968 bytes (DLL which acts as a mail relay)
• iinj4.exe -  1, 536 bytes  (DLL wich loads System.exe)
• irun4.exe-   14, 848 bytes (Copy of  itself)

The DLL files are detected as W32/Bagle.dll.gen with the 4333 DATS and above.

The DLLS are injected into the Explorer process.

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "ssgrate.exe" = C:\WINNT\SYSTEM32\irun4.exe

Method of Infection

Execution of the infected file.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This variant is detected as W32/Bagle.gen@MM using the 4333 DATS (with the scanning of compressed files enabled).

This variant does not mass-mail like previous variants.

It attempts to connect to various German and Russian websites and acts as a mail relay.

It attempts to disable various Antivirus programs.

Symptoms

Symptoms -

The following files are dropped on to the %SYSDIR% folder:

• System.exe - 19, 968 bytes (DLL which acts as a mail relay)
• iinj4.exe -  1, 536 bytes  (DLL wich loads System.exe)
• irun4.exe-   14, 848 bytes (Copy of  itself)

The DLL files are detected as W32/Bagle.dll.gen with the 4333 DATS and above.

The DLLS are injected into the Explorer process.

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "ssgrate.exe" = C:\WINNT\SYSTEM32\irun4.exe

Method of Infection

Method of Infection -

Execution of the infected file.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A