W32.Beagle.A@mm

Printer Friendly Page

Discovered: January 18, 2004
Updated: January 20, 2004 10:13:57 AM
Systems Affected: Windows

W32.Beagle.A@mm is a mass-mailing worm that sends itself to all email addresses it gathers from certain files on the compromised system. The worm also attempts to access scripts from a certain website.

Discovered: January 18, 2004
Updated: January 20, 2004 10:13:57 AM
Systems Affected: Windows

W32.Beagle.A@mm is a mass-mailing worm that sends itself to all email addresses it gathers from files with .wab, .txt, .htm, and .html extensions. It will not send itself to any email addresses that include the following strings:
.r1
@hotmail.com
@msn.com
@microsoft.com
@avp

The worm typically arrives as an email message with the following properties:
Subject: Hi

Message:

Test =)
<Random characters>
--
Test, yep.

Filename: <Random>.exe

The From address will be spoofed so that it will appear that the sender's address is in the same domain as the recipient.

When the attachment is executed, the worm first checks the current system date. If the date is after January 28th, 2004, it will do nothing. Otherwise, it creates the following copy of itself:
%system%\bbeagle.exe

The worm then launches calc.exe.

The following registry entries are created by the worm:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"d3update.exe" = "%system%\bbeagle.exe"
HKEY_CURRENT_USER\Software\Windows98\"uid" = "[Random Value]"
HKEY_CURRENT_USER\Software\Windows98\"frun" = "1"

Finally, the worm attempts to access a script from a list of hard coded websites in its body. The script file, 1.php, is inaccessible as of this writing.

The following is the list of sites the worm attempts to contact:
http:/ /www.elrasshop.de/1.php
http:/ /www.it-msc.de/1.php
http:/ /www.getyourfree.net/1.php
http:/ /www.dmdesign.de/1.php
http:/ /64.176.228.13/1.php
http:/ /www.leonzernitsky.com/1.php
http:/ /216.98.136.248/1.php
http:/ /216.98.134.247/1.php
http:/ /www.cdromca.com/1.php
http:/ /www.kunst-in-templin.de/1.php
http:/ /vipweb.ru/1.php
http:/ /antol-co.ru/1.php
http:/ /www.bags-dostavka.mags.ru/1.php
http:/ /www.5x12.ru/1.php
http:/ /bose-audio.net/1.php
http:/ /www.sttngdata.de/1.php
http:/ /wh9.tu-dresden.de/1.php
http:/ /www.micronuke.net/1.php
http:/ /www.stadthagen.org/1.php
http:/ /www.beasty-cars.de/1.php
http:/ /www.polohexe.de/1.php
http:/ /www.bino88.de/1.php
http:/ /www.grefrathpaenz.de/1.php
http:/ /www.bhamidy.de/1.php
http:/ /www.mystic-vws.de/1.php
http:/ /www.auto-hobby-essen.de/1.php
http:/ /www.polozicke.de/1.php
http:/ /www.twr-music.de/1.php
http:/ /www.sc-erbendorf.de/1.php
http:/ /www.montania.de/1.php
http:/ /www.medi-martin.de/1.php
http:/ /vvcgn.de/1.php
http:/ /www.ballonfoto.com/1.php
http:/ /www.marder-gmbh.de/1.php
http:/ /www.dvd-filme.com/1.php
http:/ /www.smeangol.com/1.php

** Update: Information suggests that the 1.php script directs the compromised system to download and execute Trojan.Mitglieder (MCID 2445).

** Update: The worm also creates a thread on TCP port 6777 that allows a remote attacker to perform the following actions:
- execute commands on the compromised system as the current user
- download files onto the system
- terminate and delete the worm from the system

** Update: The Symantec DeepSight Threat Analyst Team has detected a significant increase in port TCP 6777 traffic. This marked increase is believed to be associated with the widespread propagation of this worm.