-- Update 13th April 2004 PDT --
This threat has had its risk assessment downgraded to Low-Profiled due to decreased prevalence.
-- Update 26th March 2004 03:21 PST --
This threat has had its risk assessment upgraded to Medium due to increased prevalence.
This is a new variant of W32/Bagle@MM . It is packed with FSG.
If you think that you may be infected with Bagle.u, and are unsure how to check your system, you may
download the Stinger tool
to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Receiving an email alert stating that the virus came from your email address is not
an indication that you are infected as the virus often forges the from address.
This variant mass-mails itself to recipients extracted from the victim machine. Addresses are harvested from the following files:
The mails are formatted as follows:
(spoofed - using one of the harvested email addresses)
randomly named executable, with a .EXE extension
The worm does not mail itself to addresses containing the following:
Remote Access Component
The worm also opens a port on the victim machine - TCP port 4751.
The worm sends notification via HTTP to a remote script (notification contains port number and ID number). Users should block outgoing HTTP traffic to the following domain:
The exact functionality offered by this backdoor is under investigation. It is suspected that it may allow for the downloading and execution of other files (akin to that for W32/Mydoom.a@MM