Global Sites
F-Secure.fi
F-Secure Italian site
F-Secure UK site
F-Secure.com
Slovenia
France
Germany
Italy
Japan
Sweden
F-Secure Virus Descriptions : Bagle.D
[Summary ] | [Disinfection ] | [Detailed Description ] | [Detection ]
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDERF-SECURE RADAR .
Radar Alert LEVEL 2
A new variant of the Bagle worm, Bagle.D was found in the wild
on February 28th, 2004.
This is a minor variant of the Bagle.C worm, which was found roughly
12 hours earlier on the 28th.
Special Disinfection Tool
F-Secure has developed a special disinfection tool for this worm.
The tool will detect and remove an active Bagle infection from
the computer.
The Bagle removal tool can be downloaded in a ZIP file from:
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip
http://www.f-secure.com/tools/f-bagle.zip
The unpacked version is available from:
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt
http://www.f-secure.com/tools/f-bagle.exe
http://www.f-secure.com/tools/f-bagle.txt
Manual Disinfection
Manual disinfection of Bagle consists of the following steps:
1, Delete the registry value and restart the computer:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gouday.exe]
2, Delete the worm's files from the Windows System Directory:
%SysDir%\readme.exe
%SysDir%\onde.exe
%SysDir%\doc.exe
There are very few differences in the C and D variants; they have the
same sizes and same functionality, and the emails sent by them are
identical. Mostly the virus has been modified to avoid detection by some
antivirus programs.
Also, the worm uses a mutex to detect that it has already installed itself
on the system. In Bagle.C, this is ""imain_mutex". In Bagle.D, it's
"iain_m2".
Otherwise, the worms are very close to each other. For more details, please see
http://www.f-secure.com/v-descs/bagle_c.shtml
Detection in F-Secure Anti-Virus was published on February 28th, 2004 in
update:
[FSAV_Database_Version]
Version=2004-02-28_04
Description:
Mikko Hypponen, February 28th, 2004;
F-Secure Corporation
![](/images/pixel.gif"){kind=tracking}
