An email dropped into my ‘suspicious’ folder today which is where emails that are not picked up by my AV, Junk Filter or known filters.

When I first saw the name of the attachment I recognized it as a variant of the Bagle Virus, but wondered why AVG had not picked it up.
I had seen similar email a few months back and again AVG didn’t catch it on its first pass. I say first pass because after doing a manual Virus Database update, the new definitions did find it. I did the same today and AVG identified it as a new variant of the Bagle (TR/Bagle.CR).

So first things first, if you have your AV application set to perform an update only once a day, I would recommend that you configure it to do at least twice, or if you receive a lot of emails, maybe 4 times a day. (Your AV server might not like this because it would put 4 x the load on its service, but hey, I pay them a subscription to keep my PC protected, and if they issue new updates AFTER I have updated, how am I meant to know).

In the case of TR/Bagle.CR, it appears that most of the big guns issued an update today, only Fortinet had it marked as suspicious prior to today. In the case of Fortinet, they had it covered 12 days ago.

It appears that 5 new variants of Bagle hit the street today.

If you ever receive a file attachment and you are suspicious of it and you have the confidence to save it to your hard drive WITHOUT opening or executing it, you should consider uploading it to a site like VirusTotal

Results of a file scan

This is a report processed by VirusTotal on 09/19/2005 at 21:41:22 (CET) after scanning the file “” file.

Antivirus Version Update Result
AntiVir 09.19.2005 TR/Bagle.CR
Avast 4.6.695.0 09.19.2005 Win32:Beagle-DV
AVG 718 09.19.2005 I-Worm/Bagle
Avira 09.19.2005 TR/Bagle.CR
BitDefender 7.2 09.19.2005 Win32.Bagle.CJ@mm
CAT-QuickHeal 8.00 09.19.2005 Bagle.da
ClamAV devel-20050917 09.19.2005 Worm.Bagle.Gen-3
DrWeb 4.32b 09.19.2005 Win32.HLLM.Beagle.36864
eTrust-Iris 09.18.2005 no virus found
eTrust-Vet 09.19.2005 no virus found
Fortinet 09.07.2005 suspicious
F-Prot 3.16c 09.19.2005 security risk named W32/Mitglieder.FF
Ikarus 09.19.2005 no virus found
Kaspersky 09.19.2005 Email-Worm.Win32.Bagle.da
McAfee 4584 09.19.2005 no virus found
NOD32v2 1.1221 09.19.2005 Win32/Bagle.BI
Norman 5.70.10 09.19.2005 no virus found
Panda 8.02.00 09.19.2005 Trj/Mitglieder.EX
Sophos 3.97.0 09.19.2005 Troj/BagleDl-U
Symantec 8.0 09.18.2005 no virus found
TheHacker 09.19.2005 no virus found
VBA32 3.10.4 09.19.2005 no virus found