F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Bagle.F

[Summary] | [Disinfection] | [Detailed Description] | [Detection]

THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2

NAME:Bagle.F
ALIAS:W32/Bagle.F, I-Worm.Bagle.F, W32/Bagle.F@mm
SIZE:15872

Summary

Bagle.F was found in the wild on February 29th, 2004.

Disinfection

Special Disinfection Tool

F-Secure has developed a special disinfection tool for this worm. The tool will detect and remove an active Bagle infection from the computer.

The Bagle removal tool can be downloaded in a ZIP file from:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip

http://www.f-secure.com/tools/f-bagle.zip

The unpacked version is available from:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt

http://www.f-secure.com/tools/f-bagle.exe

http://www.f-secure.com/tools/f-bagle.txt

Manual Disinfection

Manual disinfection of Bagle consists of the following steps:

1, Delete the registry value and restart the computer: 

 [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rate.exe]

2, Delete the worm's files from the Windows System Directory: 

 %SysDir%\i1ru74n4.exe
 %SysDir%\godo.exe
 %SysDir%\ii455nj4.exe


Back to the Top


Detailed Description

This variant of Bagle sends variable emails, some of which contain password-protected ZIP files, with messages such as: 

  From: random-email@address
  To: address@f-secure.com
  Subject: rebecca


  If I'm online, it problably means I'm pretty bored....
  so feel free to message me and say hi or whatever else comes to mind at the moment.
  archive password: 06458


  Attachment: Mary.zip (encrypted with password 06458)

The worm also has a block of random data in it, making the virus (and the zip files) variable.

Other possible subject fields include: 

  Audra
  Bad girl
  beautiful
  Caitie
  Fotograf
  Gallery photos
  groom
  Juli
  kate
  My Name is Frenk
  Katrina
  Kelley
  kleopatra
  Mandy
  Mary-Anne
  My photos
  Myphotos
  Photoalbum
  Tammy

The message and attachment name varies too, but attachment is typically EXE or SCR, which then might be Zipped.

The icon of the infected attachments looks like a folder, making it easy to double-click on it by accident

For more information on Bagle, see:

http://www.f-secure.com/v-descs/bagle_c.shtml


Back to the Top


Detection

Detection in F-Secure Anti-Virus was published on March 1st, 2004 in update:

[FSAV_Database_Version]

Version=2004-03-01_01


Back to the Top


Description: Mikko Hypponen, February 28th, 2004;

F-Secure Corporation