Virus Profile: W32/Bagle@MM!cpl

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 11/3/2004
Date Added: 11/3/2004
Origin: Unknown
Length: Varies
Type: Virus
Subtype: Email
DAT Required: 4404
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Methods of Infection


Email-Worm.Win32.Bagle.cs (AVP), Troj/Dropper-BB (Sophos)

Virus Characteristics

-- Update September 12, 2005 --
Multiple new variants of this threat were recently mass spammed.  Filenames include 1.cpl and price.cpl and may arrive in a ZIP file named ,, price some , etc

The variants seen thus far are non functional, and deemed a low risk.  The first such variant drops a corrupt file (ceeweewe.exe) to the %windir%.  The md5 checksums of these new variants are 4fb426de872ee9b20c3312fae3adf018 and a2920da32385932c71ad2e4ed5e3e74e

The corrupt file is detected as W32/Bagle.dam.  Detection will be enhanced in the 4580 DAT release to detect and delete these newly discovered damaged variants.

Extra.dat files for W32/Bagle@MM!cpl and W32/Bagle.dam may be downloaded via the Extra.dat request page:

This is a generic detection covering many variants of the W32/Bagle@MM virus when sent in "CPL" format.  Since the detection covers many different variants, it is not possible to list specific details.  For an example of one such variant, see W32/ .


All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!