1. /
  2. Security Response/
  3. W32.Beagle.C@mm

W32.Beagle.C@mm

Risk Level 2: Low

Discovered:
February 28, 2004
Updated:
February 28, 2004 9:58:53 PM
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
W32.Beagle.C@mm is a mass-mailing worm that installs a backdoor on infected systems. The worm arrives via e-mail attachment in a message that may be one of the following subjects:

* Accounts department
* Ahtung!
* Camila
* Daily activity report
* Flayers among us
* Freedom for everyone
* From Hair-cutter
* From me
* Greet the day
* Hardware devices price-list
* Hello my friend
* Hi!
* Jenny
* Jessica
* Looking for the report
* Maria
* Melissa
* Monthly incomings summary
* New Price-list
* Price
* Price list
* Pricelist
* Price-list
* Proclivity to servitude
* Registration confirmation
* The account
* The employee
* The summary
* USA government abolishes the capital punishment
* Weekly activity report
* Well...
* You are dismissed
* You really love me? he he

The attachment, once run, will first check the system date. The worm will terminate execution if the date is past March 14, 2004. If not, execution continues and a mutex (mutual exclusion) named "imain_mutex" is created to ensure that only one instance of the worm is running. If the worm was not executed from the binary "%System%\readme.exe", "notepad.exe" may be launched. This may occur the first time that the executable is run. It then attempts to create the following files:

* %System%\onde.exe (18,944 bytes) - The mass-mailing component of
W32.Beagle.C@mm, a DLL file that may be detected as W32.Beagle.A@mm

* %System%\doc.exe (1,536 bytes) - The loader of onde.exe, also a DLL file

* %System%\readme.exeopen (15,994 bytes) - ZIP file

The DLL "onde.exe" is then injected into the process space of "explorer.exe". This activates the SMTP engine in such a way that it may slip by software firewall systems with per-process filtering.

To make W32.Beagle.C persistent, the following:

"gouday.exe"="%System%\readme.exe"

is added to registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

This causes W32.Beagle.C to be executed whenever the system is booted. W32.Beagle.C then generates a unique identifier for the infected host and assigns a TCP port number (2745, by default) of the backdoor server. This information is stored in the registry -- the values:

"uid"="[Random Value]"
"port"="2745"
"frun"="1"

are added to the registry key:

HKEY_CURRENT_USER\SOFTWARE\DateTime2

The backdoor is then started, which listens on the specified port. The unique identifier, backdoor port number and IP address of the infected host are then communicated to one of three webservers listening on TCP port 80 of:

* permail.uni-muenster.de
* www.songtext.net/de
* www.sportscheck.de

W32.Beagle.C@mm then attempts to terminate the following processes:

* ATUPDATER.EXE
* AVWUPD32.EXE
* AVPUPD.EXE
* LUALL.EXE
* DRWEBUPW.EXE
* ICSSUPPNT.EXE
* ICSUPP95.EXE
* UPDATE.EXE
* NUPGRADE.EXE
* ATUPDATER.EXE
* AUPDATE.EXE
* AUTODOWN.EXE
* AUTOTRACE.EXE
* AUTOUPDATE.EXE
* AVXQUAR.EXE
* CFIAUDIT.EXE
* MCUPDATE.EXE
* NUPGRADE.EXE
* OUTPOST.EXE
* AVLTMAIN.EXE

Following this, files with the following extensions are scanned for e-mail addresses:

* .wab
* .txt
* .htm
* .html
* .dbx
* .mdx
* .eml
* .nch
* .mmf
* .ods
* .cfg
* .asp
* .php
* .pl
* .adb
* .sht

The worm then uses its SMTP engine to transmit copies of itself to the e-mail addresses that were discovered. The worm has its own MIME implementation. It will not send itself to any email addresses that include the following strings:

* .ch
* @hotmail.com
* @msn.com
* @microsoft
* @avp.
* noreply
* local
* root@
* postmaster@

Finally, the icon used for the attachment may fool unsuspecting users into believing that the attachment is an Excel workbook.
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver