W32.Beagle.B@mm

Printer Friendly Page

Discovered: February 17, 2004
Updated: February 17, 2004 3:31:02 PM
Systems Affected: Windows

W32.Beagle.B@mm is a mass-mailing worm that also installs a back door server on compromised systems.

Discovered: February 17, 2004
Updated: February 17, 2004 3:31:02 PM
Systems Affected: Windows

W32.Beagle.B@mm is a mass-mailing worm that uses its own SMTP engine to send its email messages to addresses it gathers from files with the following extensions:
.wab
.txt
.htm
.html

The email message may have the following properties:
From address is spoofed.

Subject: ID <6 random characters>... thanks

Message Body:
Yours ID <9 random characters>
- -
Thank

When executed, it opens the Windows Sound Recorder, sndrec32.exe.

Next, the worm appears to create the following file:
%System%\au.exe

It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe = %System%\au.exe

It also creates the following registry entry, possibly as an infection marker:
HKEY_CURRENT_USER\SOFTWARE\Windows2000

The back door component listens on TCP port 8866 for connections from the remote attacker. It sends a notification of the compromised system using HTTP GET to the following websites:
www.strato.de/1.php
www.strato.de/2.php
www.47df.de/wbboard/1.php
www.intern.games-ring.de/2.php

The worm will cease propagation on February 25th, 2004.