Bagle.BI

Discussion in 'NOD32 version 2 Forum' started by msanto, Sep 20, 2005.

Thread Status:
Not open for further replies.
  1. msanto

    msanto Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    214
    Bagle.BI (OK, turns out it was DI!)

    My wife (foolishly, I admit) opened a ZIP file and ran the TEXT.EXE file within it. The email subject was New Prices. Doing some reading, this was a Bagle variant.

    Now, I ran NOD32 after she did this, and it found the Bagle.BI worm in two files. It cleaned them, but what I don't get is why it didn't stop the infection in the first place (yes, yes, she should not have run the file, I know!).

    I even scanned the TEXT.EXE file itself and NOD32 didn't detect anything.

    Unfortunately, she deleted the email and so I don't have the file any longer. But this is a relatively old virus isn't it? I would have expected it to be stopped when the file was run.
     
    Last edited: Sep 21, 2005
  2. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    Bagle.BI was added in definitions on June 26th of this year...

    Silly question perhaps... but you are up to date with latest definitions?
     
  3. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
  4. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    doh! I knew I'd seen the BI earlier in the day... too long a day though.....
     
  5. msanto

    msanto Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    214
    Yes, silly question. ;)
     
  6. msanto

    msanto Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    214
    Yeah, well, this happened yesterday. Up to date, so it should have been caught by heuristrics or the defs.
     
  7. msanto

    msanto Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    214
    OK, after reading this TechWeb article it's clear it was BagleDI (http://www.techweb.com/wire/security/171000478)... which was new. But I'm surprised heuristics didn't catch this. Based on the read it's lucky I'm not using one of the BIG names (Symantec, McAfee, Kaspersky, etc.) as it was deleting registry keys for those ...

    Does NOD32 catch this now?
     
Thread Status:
Not open for further replies.