|
 |
|
Bagle.aq
|
|
|
First Report:
|
2004-08-09 19:19
|
|
Last Update:
|
2004-11-01 06:10
|
|
|
Risk Rating:
|
Medium Risk
|
|
|
Aliases:
|
Bagle.AL
Bagle.AM
HTML_BAGLE.AC
I-Worm.Bagle.al
I-Worm/Bagle.AK
JS.Bagle.AG
JS/Dword.dr
JS/IllWill
JScript/IE.VM.Exploit
TR/RunMe.Dldr.1
TROJ_BAGLE.AC
W32.Beagle.AO@mm
W32.Beagle.AO@mm(Symantec)
W32/Bagle-AQ
W32/Bagle.AJ@mm
W32/Bagle.AM.worm
W32/Bagle.aq!zip
W32/Bagle.aq@MM
Win32.Bagle.AG
Win32/Bagle.AG.Worm
Win32/WDirect.DLL.Worm
Win32/WDirect.Trojan
WORM_BAGLE.AC
WORM_BAGLE.AC,Bagle.AG
WORM_ILLWILL.A
ZIP.Bagle.AG
|
|
|
Virus Alerts:
|
Secunia issued a MEDIUM RISK alert for this virus.
2004-08-09 23:37
|
|
|
Information From AntiVirus Vendors
|
|
|
|
|
Below you will find virus information from different antivirus vendors included in this Secunia Virus Profile. Information about the virus along with links to removal tools will be listed below when available.
The information provided is sorted by the date on which the information first became publicy available on the antivirus vendors' websites. The earliest available reports are displayed first. Please note timestamps are in GMT+1.
|
|
|
#1 - MCAFEE
|
| |
|
|
W32/Bagle.aq@MM
|
Severity:
3/7
|
File Size:
-
|
| |
|
|
Reported:
2004-08-09 19:19
|
Last Update:
2004-08-16 23:36
|
| |
Description:
The assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence. --
|
| |
|
Full Report From Vendor
Removal Tool/Instructions
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2004-08-16 23:36
|
Severity was decreased from 4/7 to 3/7.
|
| |
|
|
2004-08-16 23:36
|
Description was changed.
New:
"The assessment of this threat was lowered to
Low-Profiled due to a decrease in prevalence.
--"
Old:
"The HTML file is detected with the 4167 (from
Nov. 2001) and higher DATs as JS/IllWill. The
DLL component is detected with 4335 (Mar.
2004) and higher DATs as W32/Bagle.dll.gen.
--"
|
| |
|
|
2004-08-09 23:59
|
Updated information about removal tool/instructions.
|
| |
|
|
2004-08-09 23:29
|
Description was changed.
New:
"The HTML file is detected with the 4167 (from
Nov. 2001) and higher DATs as JS/IllWill. The
DLL component is detected with 4335 (Mar.
2004) and higher DATs as W32/Bagle.dll.gen.
--"
Old:
"Update August 9, 2004 - The HTML file is
detected with the 4167 (from Nov. 2001) and
higher DATs as JS/IllWill. The DLL component
is detected with 4335 (Mar. 2004) and higher
DATs as W32/Bagle.dll.gen."
|
| |
|
|
2004-08-09 21:39
|
Description was changed.
New:
"Update August 9, 2004 - The HTML file is
detected with the 4167 (from Nov. 2001) and
higher DATs as JS/IllWill. The DLL component
is detected with 4335 (Mar. 2004) and higher
DATs as W32/Bagle.dll.gen."
Old:
"Update August 9, 2004 - The HTML is detected
with the 4167 (from Nov. 2001) and higher
DATs as JS/IllWill."
|
| |
|
|
2004-08-09 21:14
|
Severity was raised from 2/7 to 4/7.
|
| |
|
|
2004-08-09 21:14
|
Description was changed.
New:
"Update August 9, 2004 - The HTML is detected
with the 4167 (from Nov. 2001) and higher
DATs as JS/IllWill."
Old:
"This is a mass-mailing worm which has the
following characteristics:"
|
| |
|
|
2004-08-09 20:49
|
Description was changed.
New:
"This is a mass-mailing worm which has the
following characteristics:"
Old:
"This is a mass-mailing worm with the
following characteristics:"
|
| |
|
|
2004-08-09 20:09
|
Description was changed.
New:
"This is a mass-mailing worm with the
following characteristics:"
Old:
"AVERT has received a sample of this threat
and is currently in the process of analyzing
it. Details will be posted when they are
available. Please check back shortly. Top of
Page"
|
|
|
|
|
|
#2 - COMPUTER ASSOCIATES
|
| |
|
|
Win32.Bagle.AG
|
Severity:
4/5
|
File Size:
19,460
|
| |
|
|
Reported:
2004-08-09 20:24
|
Last Update:
2004-11-01 06:07
|
| |
Description:
Win32.Bagle.AG is a worm that spreads via e-mail and file sharing networks. The worm has been distributed as a 19,460-byte, PEX-compressed Win32 executable. Bagle.AG consists of several components:
|
| |
|
Full Report From Vendor
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2004-08-10 09:09
|
Description was changed.
New:
"Win32.Bagle.AG is a worm that spreads via
e-mail and file sharing networks. The worm
has been distributed as a 19,460-byte,
PEX-compressed Win32 executable. Bagle.AG
consists of several components:"
Old:
"Win32.Bagle.AG is a worm that spreads via
e-mail and file sharing networks. The worm
has been distributed as a 19,460-byte,
PEX-compressed Win32 executable. Bagle.AG
consists of several components; the worm
executable, an HTML file, an EXE dropper and
a .DLL that contains a routine to download
the worm."
|
| |
|
|
2004-08-10 07:54
|
Description was changed.
New:
"Win32.Bagle.AG is a worm that spreads via
e-mail and file sharing networks. The worm
has been distributed as a 19,460-byte,
PEX-compressed Win32 executable. Bagle.AG
consists of several components; the worm
executable, an HTML file, an EXE dropper and
a .DLL that contains a routine to download
the worm."
Old:
"Win32.Bagle.AG is a worm that spreads via
e-mail. The worm has been distributed as a
19,460-byte, PEX-compressed Win32 executable.
Bagle.AG consists of several components; the
worm executable, an HTML file, an EXE dropper
and a .DLL that contains a routine to
download the worm."
|
| |
|
|
2004-08-10 03:09
|
Severity was raised from 3/5 to 4/5.
|
| |
|
|
2004-08-10 03:09
|
Description was changed.
New:
"Win32.Bagle.AG is a worm that spreads via
e-mail. The worm has been distributed as a
19,460-byte, PEX-compressed Win32 executable.
Bagle.AG consists of several components; the
worm executable, an HTML file, an EXE dropper
and a .DLL that contains a routine to
download the worm."
Old:
"Win32.Bagle.AG is a worm that spreads via
e-mail. The worm has been distributed as a
19,460-byte, PEX-compressed Win32 executable.
Bagle.AG consists of seval components, the
worm executable, a HTML, an EXE dropper and a
.DLL that contains routine to download the
worm."
|
| |
|
|
2004-08-10 02:54
|
Description was changed.
New:
"Win32.Bagle.AG is a worm that spreads via
e-mail. The worm has been distributed as a
19,460-byte, PEX-compressed Win32 executable.
Bagle.AG consists of seval components, the
worm executable, a HTML, an EXE dropper and a
.DLL that contains routine to download the
worm."
Old:
"Win32.Bagle.AG is a worm spreading through
e-mail system. The worm is 19,460-byte
PEX-compressed Win32 executable. Bagle.AG
consists of seval components, the worm
executable, a HTML, an EXE dropper and a .DLL
that contains routine to download the worm."
|
| |
|
|
2004-08-09 21:39
|
Description was changed.
New:
"Win32.Bagle.AG is a worm spreading through
e-mail system. The worm is 19,460-byte
PEX-compressed Win32 executable. Bagle.AG
consists of seval components, the worm
executable, a HTML, an EXE dropper and a .DLL
that contains routine to download the worm."
Old:
"Win32.Bagle.AG is a worm spreading through
e-mail system. Computer Associates has
received many user reports. More details will
be available soon. Bagle.AG consists of three
components, a HTML, an EXE dropper and a .DLL
that contains main features of this malware."
|
| |
|
|
2004-08-09 21:39
|
File size was changed.
New:
"19,460"
Old:
"N/A"
|
| |
|
|
2004-08-09 20:39
|
Description was changed.
New:
"Win32.Bagle.AG is a worm spreading through
e-mail system. Computer Associates has
received many user reports. More details will
be available soon. Bagle.AG consists of three
components, a HTML, an EXE dropper and a .DLL
that contains main features of this malware."
Old:
"N/A"
|
|
|
|
|
|
#3 - TREND MICRO
|
| |
|
|
WORM_BAGLE.AC
|
Severity:
2/3
|
File Size:
-
|
| |
|
|
Reported:
2004-08-09 20:33
|
Last Update:
2004-10-01 06:12
|
| |
Description:
As of August 9, 2004, 11:30 AM (GMT -07:00; Daylight Saving Time), TrendLabs has declared a YELLOW alert to control the spread of this BAGLE variant. Several infection reports indicate that it has been propagating rapidly in the United States.
|
| |
|
Full Report From Vendor
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2004-08-10 15:39
|
Description was changed.
New:
"As of August 9, 2004, 11:30 AM (GMT -07:00;
Daylight Saving Time), TrendLabs has declared
a YELLOW alert to control the spread of this
BAGLE variant. Several infection reports
indicate that it has been propagating rapidly
in the United States."
Old:
"As of August 9, 2004, 11:30 AM (GMT -07:00;
Daylight Saving Time), TrendLabs has declared
a YELLOW alert to control the spread of this
WORM_BAGLE variant. Several infection reports
indicate that it has been propagating rapidly
in the United States."
|
| |
|
|
2004-08-10 05:09
|
Description was changed.
New:
"As of August 9, 2004, 11:30 AM (GMT -07:00;
Daylight Saving Time), TrendLabs has declared
a YELLOW alert to control the spread of this
WORM_BAGLE variant. Several infection reports
indicate that it has been propagating rapidly
in the United States."
Old:
"As of August 9, 2004, 11:30 AM (GMT -07:00;
Daylight Saving Time), TrendLabs has declared
a YELLOW alert to control the spread of this
WORM_BAGLE variant. Several infection reports
indicates that it has been propagating
rapidly in the United States."
|
| |
|
|
2004-08-10 02:33
|
Description was changed.
New:
"As of August 9, 2004, 11:30 AM (GMT -07:00;
Daylight Saving Time), TrendLabs has declared
a YELLOW alert to control the spread of this
WORM_BAGLE variant. Several infection reports
indicates that it has been propagating
rapidly in the United States."
Old:
"As of August 9, 2004, 11:30 AM PST, TrendLabs
has declared a YELLOW alert to control the
spread this WORM_BAGLE variant. Several
infection reports indicates it is vastly
spreading in the United States."
|
| |
|
|
2004-08-09 23:33
|
Description was changed.
New:
"As of August 9, 2004, 11:30 AM PST, TrendLabs
has declared a YELLOW alert to control the
spread this WORM_BAGLE variant. Several
infection reports indicates it is vastly
spreading in the United States."
Old:
"As of August 9, 2004, 11:30 AM PST, TrendLabs
has declared a YELLOW alert to control the
spread of WORM_BAGLE.AC. Several infection
reports indicates that this mass-mailing worm
is spreading in the United States."
|
| |
|
|
2004-08-09 23:13
|
Severity was raised from 1/3 to 2/3.
|
| |
|
|
2004-08-09 21:43
|
Description was changed.
New:
"As of August 9, 2004, 11:30 AM PST, TrendLabs
has declared a YELLOW alert to control the
spread of WORM_BAGLE.AC. Several infection
reports indicates that this mass-mailing worm
is spreading in the United States."
Old:
"As of August 9, 2004 PST, TrendLabs has
declared a YELLOW alert to control the spread
of WORM_BAGLE.AC. Several infection reports
of this mass-mailing worm were received from
the United States. Initial analysis indicates
that this worm spreads via email."
|
|
|
|
|
|
#4 - F-SECURE
|
| |
|
|
Bagle.AL
|
Severity:
2/3
|
File Size:
14848
|
| |
|
|
Reported:
2004-08-09 20:42
|
Last Update:
2004-10-01 06:11
|
| |
Description:
This Bagle variant was spammed widely on 9th of August, 2004.
|
| |
|
Full Report From Vendor
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2004-08-09 22:38
|
Name was changed.
New:
"Bagle.AL"
Old:
"Bagle.al"
|
| |
|
|
2004-08-09 21:18
|
Severity was raised from N/A to 2/3.
|
| |
|
|
2004-08-09 21:08
|
Severity was raised from N/A to 2/3.
|
| |
|
|
2004-08-09 21:08
|
Severity was decreased from 2/3 to N/A.
|
|
|
|
|
|
#5 - TREND MICRO
|
| |
|
|
TROJ_BAGLE.AC
|
Severity:
1/3
|
File Size:
-
|
| |
|
|
Reported:
2004-08-09 20:53
|
Last Update:
2004-10-01 06:13
|
| |
Description:
This memory-resident Trojan arrives attached on email sent out by WORM_BAGLE.AC. It is packaged within a .ZIP file along with HTML_BAGLE.AC, which is designed to execute it automatically on infected systems.
|
| |
|
Full Report From Vendor
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2004-08-10 14:39
|
Description was changed.
New:
"This memory-resident Trojan arrives attached
on email sent out by WORM_BAGLE.AC. It is
packaged within a .ZIP file along with
HTML_BAGLE.AC, which is designed to execute
it automatically on infected systems."
Old:
"This memory-resident Trojan is packaged as a
ZIP-compressed file, which WORM_BAGLE.AC
mass-mails, and executed automatically by
HTML_BAGLE.AC."
|
| |
|
|
2004-08-09 23:03
|
Description was changed.
New:
"This memory-resident Trojan is packaged as a
ZIP-compressed file, which WORM_BAGLE.AC
mass-mails, and executed automatically by
HTML_BAGLE.AC."
Old:
"TrendLabs has received several infection
reports of this Trojan from the United
States."
|
| |
|
|
2004-08-09 21:19
|
Severity was raised from N/A to 1/3.
|
| |
|
|
2004-08-09 21:19
|
Description was changed.
New:
"TrendLabs has received several infection
reports of this Trojan from the United
States."
Old:
"N/A"
|
| |
|
|
2004-08-09 21:13
|
Severity was decreased from 1/3 to N/A.
|
| |
|
|
2004-08-09 21:13
|
Description was changed.
New:
"N/A"
Old:
"TrendLabs has received several infection
reports of this Trojan from the United
States."
|
|
|
|
|
|
#6 - TREND MICRO
|
| |
|
|
HTML_BAGLE.AC
|
Severity:
1/3
|
File Size:
-
|
| |
|
|
Reported:
2004-08-09 21:03
|
Last Update:
2004-10-01 06:13
|
| |
Description:
This malicious HTML script arrives packaged with PRICE.EXE (detected by Trend Micro as TROJ_BAGLE.AC), which comes as an attachment in an email sent by WORM_BAGLE.AC.
|
| |
|
Full Report From Vendor
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2004-08-10 00:13
|
Description was changed.
New:
"This malicious HTML script arrives packaged
with PRICE.EXE (detected by Trend Micro as
TROJ_BAGLE.AC), which comes as an attachment
in an email sent by WORM_BAGLE.AC."
Old:
"TrendLabs has received infection reports of
this malware from the United States."
|
|
|
|
|
|
#7 - MCAFEE
|
| |
|
|
W32/Bagle.aq!zip
|
Severity:
2/7
|
File Size:
5,932 bytes
|
| |
|
|
Reported:
2004-08-09 22:49
|
Last Update:
-
|
| |
Description:
This detection covers ZIP files mailed out by the W32/Bagle.aq@MM virus. For more information, see: http://vil.nai.com/vil/content/v_127423.htm Top of Page
|
| |
|
Full Report From Vendor
|
|
|
#8 - SYMANTEC
|
| |
|
|
W32.Beagle.AO@mm
|
Severity:
2/5
|
File Size:
-
|
| |
|
|
Reported:
2004-08-09 23:41
|
Last Update:
2004-11-01 06:10
|
| |
Description:
W32.Beagle.AO@mm is a mass-mailing worm that uses its own SMTP engine to spread. The email attachment is a downloader, similar to the Mitglieder family of Trojans, that downloads the worm from an external source. The worm also contains backdoor functionality, opening TCP port 80 and UDP port 80.
|
| |
|
Full Report From Vendor
Removal Tool/Instructions
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2004-11-01 06:10
|
Severity was decreased from 3/5 to 2/5.
|
| |
|
|
2004-08-10 18:27
|
Description was changed.
New:
"W32.Beagle.AO@mm is a mass-mailing worm that
uses its own SMTP engine to spread. The email
attachment is a downloader, similar to the
Mitglieder family of Trojans, that downloads
the worm from an external source. The worm
also contains backdoor functionality, opening
TCP port 80 and UDP port 80."
Old:
"W32.Beagle.AO@mm is a mass mailing worm that
uses its own SMTP engine to spread. The email
attachment is a Mitglieder-like downloader
that brings the worm from external sources."
|
| |
|
|
2004-08-10 18:27
|
Updated information about removal tool/instructions.
|
|
|
|
|
|
#9 - PANDA ANTIVIRUS
|
| |
|
|
Bagle.AM
|
Severity:
2/4
|
File Size:
-
|
| |
|
|
Reported:
2004-08-10 00:05
|
Last Update:
2004-11-01 06:08
|
| |
Description:
It opens a TCP port and listens to it. It ends processes belonging to antivirus update programs, among others.
|
| |
|
Full Report From Vendor
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2004-09-02 23:33
|
Severity was decreased from 3/4 to 2/4.
|
| |
|
|
2004-09-01 23:32
|
Severity was raised from 2/4 to 3/4.
|
| |
|
|
2004-08-25 23:38
|
Severity was decreased from 3/4 to 2/4.
|
| |
|
|
2004-08-24 23:38
|
Severity was raised from 2/4 to 3/4.
|
| |
|
|
2004-08-23 23:37
|
Severity was decreased from 3/4 to 2/4.
|
| |
|
|
2004-08-10 11:25
|
Description was changed.
New:
"It opens a TCP port and listens to it. It
ends processes belonging to antivirus update
programs, among others."
Old:
"It attempts to open a TCP port and listens to
it. It ends processes belonging to antivirus
update programs, among others."
|
| |
|
|
2004-08-10 08:40
|
Description was changed.
New:
"It attempts to open a TCP port and listens to
it. It ends processes belonging to antivirus
update programs, among others."
Old:
"N/A"
|
| |
|
|
2004-08-10 01:15
|
Severity was raised from 1/4 to 3/4.
|
|
|
|
|
|
Please note: The information that this Secunia Virus Profile is based on comes from a third party unless stated otherwise.
The grouping process is done completely automatically, therefore minor inconsistencies may occur. For more information about Secunia Virus Information, please read: About Virus Information.
|
|
|
|
|
Secunia PSI
Scan | Patch | Track
Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|
