Bagle Family Table

This is an overview of Bagle worm versions, at least that I have a sample for. VGrep is a similar tool, but the online version is not up to date at the moment. Date of tests: Mar 30 2004 and Mar 31 2004.

Version	Length*	MD5**	AntiVir	AVG	BitDefender	ClamAV	Dr.Web	Kaspersky	RAV	Symantec	Trend Micro
Bagle.A	15872	e65d7ab639a2361493d388e36d1e663a	Worm/Bagle.A	I-Worm/Bagle.A	Win32.Bagle.A@mm	Worm.Bagle.Gen-dll	Win32.HLLM.Beagle.15872	I-Worm.Bagle	Win32/Bagle.A@mm	W32.Beagle.A@mm	WORM_BAGLE.A
Bagle.B	11264	f4cc1b17617b9cfcfeb90e73356b8639	Worm/Bagle.B	I-Worm/Bagle.B	Win32.Bagle.B@mm	Worm.YoursID	Win32.HLLM.Beagle.16896	I-Worm.Bagle.b	Win32/Bagle.B@mm	W32.Beagle.B@mm	WORM_BAGLE.B
Bagle.F	22528	a6f497b1c65938f4dc301b575bde2bc9	Worm/Bagle.F	I-Worm/Bagle.F	Win32.Bagle.F@mm	Worm.Bagle.Gen-2	Win32.HLLM.Beagle.36352	I-Worm.Bagle.f	Win32/Bagle.F@mm	W32.Beagle.F@mm	WORM_BAGLE.F
Bagle.G	22528	482adf0f87ba5ae87051186d2d36ff61	Worm/Bagle.G	I-Worm/Bagle.G	Win32.Bagle.G@mm	Worm.Bagle.Gen-2	Win32.HLLM.Beagle.36352	I-Worm.Bagle.k	Win32/Bagle.F@mm	W32.Beagle.G@mm	WORM_BAGLE.G
Bagle.H	20480	9bc85e36c6b38a513f5db383c86a2a77	Worm/Bagle.H	I-Worm/Bagle.H	Win32.Bagle.H@mm	Worm.Bagle.Gen-2	Win32.HLLM.Beagle.32256	I-Worm.Bagle.g	Win32/Bagle.H@mm	W32.Beagle.H@mm	WORM_BAGLE.H
Bagle.I	20480	de54975e3a1cb41dfdf9c8cc5f9cc7df	Worm/Bagle.I	I-Worm/Bagle.I	Win32.Bagle.I@mm	Worm.Bagle.Gen-2	Win32.HLLM.Beagle.32256	I-Worm.Bagle.h	Win32/Bagle.I@mm	W32.Beagle.I@mm	WORM_BAGLE.I
Bagle.J	12288	58f05e9519b3bd825fd6af936f4b2aed	Worm/Bagle.J	I-Worm/Bagle.J	Win32.Bagle.J@mm	Worm.Bagle.Gen-1	Win32.HLLM.Beagle.based	I-Worm.Bagle.i	Win32/Bagle.J@mm	W32.Beagle.J@mm	WORM_BAGLE.J
Bagle.K	12288	664639d6cfd21a0bdaefc4544a5f9e7f	Worm/Bagle.K	I-Worm/Bagle.K	Win32.Bagle.K@mm	Worm.Bagle.Gen-1	Win32.HLLM.Beagle.based	I-Worm.Bagle.j	Win32/Bagle.K@mm	W32.Beagle.K@mm	WORM_BAGLE.K
Bagle.N	20480	be162b40ec5bc7a73846d11ad37399b3	Worm/Bagle.O	I-Worm/Bagle.N	Win32.Bagle.M@mm	Worm.Bagle.N	Win32.HLLM.Beagle.based	I-Worm.Bagle.n	Win32/Bagle.O@mm	W32.Beagle.M@mm	PE_BAGLE.N-O
Bagle.P	44032	67ed6a8ed92db6a4f965e69ca60abd4d	W32/Bagle.P.1	I-Worm/Bagle.O	Win32.Bagle.O@mm	Worm.Bagle.P	Win32.HLLM.Beagle.61440	I-Worm.Bagle.o	Win32/Bagle.P@mm	W32.Beagle.N@mm	PE_BAGLE.P-O
Bagle.U	8208	bbe239359da199a09abff39452c1f3e0	Worm/Bagle.U.2	I-Worm/Bagle.U	Win32.Bagle.U@mm	Worm.Bagle.U	Win32.HLLM.Beagle.18432	I-Worm.Bagle.s	Win32/Bagle.U@mm	W32.Beagle.U@mm	WORM_BAGLE.U

*Most Bagle versions add variable sized garbage to the file, so the actual size is larger.
**MD5 hash of the first n bytes of the executable file, where n is the value in the Length column. Note that Bagle.N and Bagle.P are polymorphic when infect files (virus mode), but not in other cases.

Here are the various icons of the worm executables:

Bagle.A has a calculator icon, Bagle.B looks like an audio file, Bagle.F,G,H and I are like a folder, Bagle.J and K are like a WordPad document, Bagle.N is like a TrueType font, Bagle.P is like a Notepad document and Bagle.U has a clock icon.