WinNT/Bagle is a component of the greater Win32/Bagle multi-component family of malware. WinNT/Bagle provides advanced stealth functionality and anti-removal measures for this family.

Win32/Bagle is a family of mass-mailing worms that targets certain versions of Microsoft Windows. The worm spreads primarily through e-mail, though some variants also spread through peer-to-peer networks. The worm acts as a backdoor Trojan, allowing an attacker to access a computer that it has infected. The backdoor can be used to distribute other malicious software. Some variants of Win32/Bagle infect executable files.

Win32/Bagle.BA@mm!CME-477 is a mass-mailing worm. The worm spreads by sending a copy of itself as an e-mail attachment to e-mail addresses that it finds on the host computer. Win32/Bagle.BA@mm!CME-477 also spreads by copying itself to folders containing the string 'shar' in the folder name.

Win32/Bagle.AK@mm is a mass-mailing worm that targets certain versions of Microsoft Windows. The worm sends itself as an attachment to e-mail addresses that it finds on the infected computer. The worm is activated when a user opens the attachment. The worm monitors a random TCP port for instructions from remote attackers.

Win32/Bagle.AL@mm is a mass-mailing worm that targets certain versions of Microsoft Windows. The worm sends itself as an attachment to e-mail addresses that it finds on the infected computer. The worm is activated when a user opens the attachment. The worm monitors a random TCP port for instructions from remote attackers.

Win32/Bagle.AN@mm is a mass-mailing worm that targets certain versions of Microsoft Windows. The worm sends itself as an attachment to e-mail addresses that it finds on the infected computer. The worm is activated when a user opens the attachment. The worm monitors a random TCP port for instructions from remote attackers.

Win32/Bagle.AR@mm is a mass-mailing worm that targets certain versions of Microsoft Windows. The worm sends itself as an attachment to e-mail addresses that it finds on the infected computer. The worm is activated when a user opens the attachment. The worm monitors a random TCP port for instructions from remote attackers.

Win32/Bagle.AW@mm is a mass-mailing worm that targets certain versions of Microsoft Windows. The worm sends itself as an attachment to e-mail addresses that it finds on the infected computer. The worm is activated when a user opens the attachment. The worm monitors a random TCP port for instructions from remote attackers. One variant of Win32/Bagle.AW@mm injects the worm code into all Windows executable files on an infected computer.

Win32/Bagle.EG@mm is a mass-mailing worm that targets certain versions of Microsoft Windows. The worm sends itself as an attachment to e-mail addresses that it finds on the infected computer. The worm is sent in a password protected zip file along with the password for the user to unzip the file.  The worm monitors a random TCP port for instructions from remote attackers.

Win32/Bagle.AI is a backdoor Trojan that injects itself into Windows Explorer. This stops the SharedAccess service, terminates processes with certain file names, and downloads and executes instructions from certain URLs.

Win32/Bagle.L@mm is a backdoor Trojan that injects itself in Windows Explorer. The Trojan monitors a random TCP port for instructions from attackers.

Win32/Bagle.O is a backdoor Trojan that injects itself in Windows Explorer. The Trojan monitors a random TCP port for instructions from attackers.

TrojanDownloader:Win32/Bagle.gen!A is the generic detection for trojans that download worms from the Win32/Bagle family. They are usually distributed as attachments of spammed e-mail messages. They may also change certain system settings.

Win32/Bagle.X@mm!CME-328 is a mass-mailing worm that targets computers running certain versions of Microsoft Windows. The worm sends itself as an attachment to e-mail addresses that it finds in certain files on the infected computer. The worm is activated when the e-mail recipient opens the attachment. The worm monitors a random TCP port for instructions from remote attackers.

 

This threat was assigned CME ID 328.

Worm:Win32/Bagle.ZD@mm is a mass-mailing e-mail worm that attempts to download and run arbitrary files from remote Web sites. Worm:Win32/Bagle.ZD@mm collects e-mail address from the local drive and also obtains e-mail addresses by checking Web site URLs included in the worm's code. The worm attempts to terminate the Windows Automatic Update service and modifies the System Registry in an attempt to disable booting into Safe Mode.

Worm:Win32/Bagle@mm!zip is detection for e-mail containing password-protected zip file attachments associated with the Win32/Bagle family. The Win32/Bagle family spreads primarily through e-mail, though some variants also spread through peer-to-peer networks. The worm acts as a backdoor Trojan, allowing an attacker to access a computer that it has infected. The backdoor can be used to distribute other malicious software. Some variants of Win32/Bagle infect executable files.

TrojanDownloader:Win32/Bagle.ACB is a member of Win32/Bagle - a multicomponent family of worms that may spread via email and peer to peer file sharing networks. Win32/Bagle may also contain backdoor functionality that allows unauthorized access to an affected machine, and may download and execute arbitrary files.

Win32/Bagle.BD@mm is a mass-mailing worm that targets certain versions of Microsoft Windows. The worm sends itself as an attachment to e-mail addresses that it finds on the infected computer. The worm is activated when the user opens the attachment. The worm monitors a random TCP port for instructions from remote attackers.

TrojanDownloader:Win32/Bagle.ABQ is a trojan that terminates security applications, installs Trojan:WinNT/Bagle.A and downloads Worm:Win32/Bagle.gen!C.