w32/bagle.QI

I have reports avast is unable to detect this variant of the virus. Can Alwil please confirm?

thanks


Hopefully, avast will detect this variant.

Maybe an official avast team member can make a comment?


The problem is they is no way to compare as malware names aren’t the same from one AV to the next, so a sample would be the only way to compare, e.g. by sending to virustotal and avast.

we can’t do anything without having the sample… since Beagle is packed with Themida it is always a new instance from piece to piece… also the naming convention is not consistent enough and it is not easy (or it is impossible) to guess, which sample is the right…

I don’t know if it is still current practice but there used to be at least one well known AV company (Nod and a Wink) that detected all files packed with Themida as Unwanted (PUP), this goes back a couple of years so I don’t know if the practice still exists.

I found the above using my friend google searching on Themida, the one at Wilders was the most prominent one.

Or should we consider some such intervention on Themida packed files (perhaps where the file size is below a certain size).

It will be safer. I second this. More if we think that Bagle could destroy avast installation.

Users can use this tool against bagle variants:
http://www.symantec.com/security_response/writeup.jsp?docid=2004-011916-0524-99

polonus

The F-Bagle utility disinfects computers infected with the certain Bagle worm variants. Please see the readme.txt file for more information.
Download: http://www.f-secure.com/tools/f-bagle.zip
Download: ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip

The unpacked version is available from here:
Download: http://www.f-secure.com/tools/f-bagle.exe
Download: ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe
Readme: http://www.f-secure.com/tools/f-bagle.txt
Readme: ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt