W32.Beagle.E@mm

Printer Friendly Page

Discovered: February 28, 2004
Updated: March 01, 2004 4:03:53 AM
Systems Affected: Windows

W32.Beagle.E@mm is a persistent mass-mailing worm that sends itself to all email addresses it gathers from certain files on the compromised system. The worm also opens a backdoor on the system that listens on TCP port 2745. It includes its own SMTP engine in the form of a DLL injected into the address space of explorer.exe. The worm also sends identification information to remote servers, presumably under the control of the author. It is almost identical in functionality to W32.Beagle.C@mm.

Discovered: February 28, 2004
Updated: March 01, 2004 4:03:53 AM
Systems Affected: Windows

W32.Beagle.E@mm is a mass-mailing worm that installs a backdoor on infected systems. The worm arrives via e-mail attachment in a message that may be one of the following subjects:
Accounts department
Ahtung!
Camila
Daily activity report
Ello!
Flayers among us
Freedom for everyone
From Hair-cutter
From me
Greet the day
Hardware devices price-list
Hello my friend
Hi!
Jenny
Jessica
Looking for the report
Maria
Melissa
Monthly incomings summary
New Price-list
Price
Price list
Price-list
Pricelist
Proclivity to servitude
Registration confirmation
The account
The employee
The summary
USA government abolishes the capital punishment
Weekly activity report
Well...
You are dismissed
You really love me? he he

Message body will be one of the following:
Subj
Request
Empty
Response
Everything inside the attach
Look it through
Cya

The attachment name will be random characters followed by a .zip extension.

The attachment, once run, will first check the system date. The worm will uninstall itself if the date is past March 25, 2004. If not, execution continues and a mutex (mutual exclusion) named "imain_mutex" is created to ensure that only one instance of the worm is running. If the worm was not executed from the binary "%System%\i1ru74n4.exe", "notepad.exe" may be launched. This may occur the first time that the executable is run. It then attempts to create the following files:
%System%\godo.exe
%System%\ii455nj4.exe
%System%\i1ru74n4.exeopen

The DLL "godo.exe" is then injected into the process space of "explorer.exe". This activates the SMTP engine in such a way that it may slip by software firewall systems with per-process filtering.

To make W32.Beagle.E@mm persistent, the following:

"rate.exe"="%System%\i1ru74n4.exe"

is added to registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

This causes W32.Beagle.E@mm to be executed whenever the system is booted. W32.Beagle.E@mm then generates a unique identifier for the infected host and assigns a TCP port number (2745, by default) of the backdoor server. This information is stored in the registry -- the values:

"uid"="[Random Value]"
"port"="2745"
"frun"="1"

are added to the registry key:

HKEY_CURRENT_USER\SOFTWARE\DateTime4

The backdoor is then started, which listens on the specified port. The unique identifier, backdoor port number and IP address of the infected host are then communicated to one of three webservers listening on TCP port 80 of:
permail.uni-muenster.de
www.songtext.net/de
www.sportscheck.de

W32.Beagle.E@mm then attempts to terminate the following processes:
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE

Following this, files with the following extensions are scanned for e-mail addresses:
.wab
.txt
.htm
.html
.dbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.adb
.sht

The worm then uses its SMTP engine to transmit copies of itself to the e-mail addresses that were discovered. The worm has its own MIME implementation. It will not send itself to any email addresses that include the following strings:
.gr
@hotmail.com
@msn.com
@microsoft
@avp.
noreply
local
root@
postmaster@

Finally, the icon used for the attachment may fool unsuspecting users into believing that the attachment is a textfile.