Bagle.BI

Bagle.BI (OK, turns out it was DI!)

My wife (foolishly, I admit) opened a ZIP file and ran the TEXT.EXE file within it. The email subject was New Prices. Doing some reading, this was a Bagle variant.

Now, I ran NOD32 after she did this, and it found the Bagle.BI worm in two files. It cleaned them, but what I don't get is why it didn't stop the infection in the first place (yes, yes, she should not have run the file, I know!).

I even scanned the TEXT.EXE file itself and NOD32 didn't detect anything.

Unfortunately, she deleted the email and so I don't have the file any longer. But this is a relatively old virus isn't it? I would have expected it to be stopped when the file was run.

 

Bagle.BI was added in definitions on June 26th of this year...

Silly question perhaps... but you are up to date with latest definitions?

 

The email may have contained the dropper which was not detected until 1.220.
See Marcos' answer in this thread, posts 6 & 8.

https://www.wilderssecurity.com/showthread.php?t=98086

 

doh! I knew I'd seen the BI earlier in the day... too long a day though.....

 

Yes, silly question.

 

Yeah, well, this happened yesterday. Up to date, so it should have been caught by heuristrics or the defs.

 

OK, after reading this TechWeb article it's clear it was BagleDI (http://www.techweb.com/wire/security/171000478)... which was new. But I'm surprised heuristics didn't catch this. Based on the read it's lucky I'm not using one of the BIG names (Symantec, McAfee, Kaspersky, etc.) as it was deleting registry keys for those ...

Does NOD32 catch this now?