W32/Bagle.gen@MM

-- Update November 23, 2005 --

A third new Bagle downloader has been received - again spammed out to users. This is also detected with the 4635 DATs as W32/Bagle.gen@MM . More details on these recent Bagle downloaders is posted here .

-- Update November 23, 2005 --

Two new Bagle downloaders have been spammed widely to users. They are likely to be received as a file named 1.EXE. Detection will be added to the 4635 DATs as W32/Bagle.gen@MM . More details are posted here .

-- Update April 14, 2005 --
There was a recent mass-mailing of a new Bagle downloader trojan variant.  It was sent in email messages containing .RAR attachments (MD5: 0x41f4e23f96dbf7c3f02f88ab179ae124), such as:

• Price.rar
• It_about_you.rar
• Forest.rar
• Fairy_tale.rar

Inside the RAR archives is a file named 123.EXE (MD5: 0xdd6290422f7dec38ab5227767d3e5696).  This file is detected as W32/Bagle.gen@MM with existing dat files [no update is required].  The EXE file installs a file that is detected as W32/Bagle.dll.gen with existing DAT files.  The goal of this dropped file is to terminate security software, overwrite the HOSTS file to prevent access to certain websites, and to check a list of 153 different websites, to download a file named osa.gif.  At the time of this writing, osa.gif was not present on any of the 153 servers.
--

This is a generic detection for several W32/Bagle variants. This worm spreads by mass mailing, normally installing a backdoor component on the infected machine. This backdoor component can be used by the virus author to either update the infection to a later version, or conversely can be updated to be used for sending "spam".

-- Update April 6, 2004 10:35 PST--
A new Bagle variant W32/Bagle.w@MM has been identified by Trend Micro. This is identified as W32/Bagle.gen@MM with compressed files scanning enabled from the 4333 DATs.

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.