This application requires Javascript for optimal performance.

W32/Mitglieder.CD.fam!tr - Released Mar 04, 2005 - Last Updated Mar 13, 2007

Alias/es

CME-766, Email-Worm.Win32.Bagle.pac [KAV], I-Worm/Bagle.BX [AVG], Trj/Mitglieder.BO [Panda], Troj/BagleDL-Q [Sophos], Trojan.Tooso.E [NAV], W32/Bagle.BL-mm [Fortinet], W32/Mitglieder.CD.gen!tr

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

Symptoms vary among the following -

  • termination of security applications

  • firewall alerts that an unregistered application is attempting to access the Internet using HTTP

  • system slowdown due to heavy network traffic usage by the virus on a compromised system



This threat may be identified as "W32/Bagle.BL-mm" with earlier AV db updates.

Detailed Analysis

This is a generic detection for a family of Bagle dropper Trojans named Mitglieder. This family of Trojans attempts to drop Bagle onto the system, and also attempts to download files from hard-coded web servers. The files are retrieved as either a .GIF or .JPG file, then renamed to .EXE and run. In many cases, the files are either removed or are not in place.

May 31 2005:
Another rash of variants were distributed today, as various named attachments. All known variants are identified generically still. These variants attempt to retrieve "OSA.GIF" from hard-coded web addresses, as well as terminate running processes or apps.

The variants are known to have been distributed by email under names such as these -

19_04_2005.exe
20_04_2005.exe
19_04_2005.exe
20_04_2005.exe
01_05_2005.exe
02_05_2005.exe
03_05_2005.exe
06_05_2005.exe
16_05_2005.exe

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Reference: ID - 36840