McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Email-Worm.Win32.Bagle.cs (AVP)

• Troj/Dropper-BB (Sophos)

Characteristics

-- Update September 12, 2005 --
Multiple new variants of this threat were recently mass spammed.  Filenames include 1.cpl and price.cpl and may arrive in a ZIP file named newprice.zip , price_09.zip, price some number.zip , etc

The variants seen thus far are non functional, and deemed a low risk.  The first such variant drops a corrupt file (ceeweewe.exe) to the %windir%.  The md5 checksums of these new variants are 4fb426de872ee9b20c3312fae3adf018 and a2920da32385932c71ad2e4ed5e3e74e

The corrupt file is detected as W32/Bagle.dam.  Detection will be enhanced in the 4580 DAT release to detect and delete these newly discovered damaged variants.

Extra.dat files for W32/Bagle@MM!cpl and W32/Bagle.dam may be downloaded via the Extra.dat request page:
https://www.webimmune.net/extra/getextra.aspx

This is a generic detection covering many variants of the W32/Bagle@MM virus when sent in "CPL" format.  Since the detection covers many different variants, it is not possible to list specific details.  For an example of one such variant, see W32/Bagle.bj@MM .

Symptoms

Method of Infection

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Email-Worm.Win32.Bagle.cs (AVP)

• Troj/Dropper-BB (Sophos)

Characteristics

Characteristics -

-- Update September 12, 2005 --
Multiple new variants of this threat were recently mass spammed.  Filenames include 1.cpl and price.cpl and may arrive in a ZIP file named newprice.zip , price_09.zip, price some number.zip , etc

The variants seen thus far are non functional, and deemed a low risk.  The first such variant drops a corrupt file (ceeweewe.exe) to the %windir%.  The md5 checksums of these new variants are 4fb426de872ee9b20c3312fae3adf018 and a2920da32385932c71ad2e4ed5e3e74e

The corrupt file is detected as W32/Bagle.dam.  Detection will be enhanced in the 4580 DAT release to detect and delete these newly discovered damaged variants.

Extra.dat files for W32/Bagle@MM!cpl and W32/Bagle.dam may be downloaded via the Extra.dat request page:
https://www.webimmune.net/extra/getextra.aspx

This is a generic detection covering many variants of the W32/Bagle@MM virus when sent in "CPL" format.  Since the detection covers many different variants, it is not possible to list specific details.  For an example of one such variant, see W32/Bagle.bj@MM .

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A