W32.Beagle.G@mm

Printer Friendly Page

Discovered: February 29, 2004
Updated: March 01, 2004 4:55:42 PM
Systems Affected: Windows

W32.Beagle.G@mm is a persistent mass-mailing worm that sends itself to all email addresses it gathers from certain files on the compromised system. The worm also opens a backdoor on the system that listens on TCP port 2745. It includes its own SMTP engine in the form of a DLL injected into the address space of explorer.exe. The worm also sends identification information to remote servers, presumably under the control of the author. It is almost identical in functionality to W32.Beagle.F@mm.

Discovered: February 29, 2004
Updated: March 01, 2004 4:55:42 PM
Systems Affected: Windows

W32.Beagle.G@mm is a mass-mailing worm that installs a backdoor on infected systems. The worm arrives via e-mail attachment in a message that may be one of the following subjects:
^_^ meay-meay!
^_^ mew-mew (-:
Aline
Anna
Audra
Bad girl
Barbi
beautiful
Caitie
caroline
ello! =))
Fotograf
Gallery photos
groom
Hey, dude, it's me ^_^ :P
Hey, ya! =))
Hi! :-)
Hokki =)
Jammie
Juli
Julie
kate
Katrina
Kelley
kleopatra
Lisa
Mandy
Mary
Mary-Anne
My beautiful person
My Name is Frenk
My photoalbum
My photos
Myphotos
Photoalbum
rebecca
Rena
Sara
stacy
Tammy
Wau... beautiful (-:
Weah, hello! :-)
Weeeeee! ;)))

Message body can be one of the following:
Argh, i don't like the plaintext :)

Fell free to chat with me I accept all ages. Don''''t worry I don''''t bite........hope to hear from you soon!

Hey people whats goin on? If there is anything you want to know about me ask me... I am pretty easygoing I won't bite....not at first anywayz hahaa.....one thing I will say on here tho I am not into the Cyber thing so don't even ask.....Ciao...

Hey, guys! by the way, I have no problems with my sexual life, so it's absolutly useless try to have icq sex or things like that. Thanks

Hi! My name is Shreya and I am a goof off!!! So, If you love the outdoors, travelling, books, music, movies, laffing, teasing and/or can poke fun at yourself... please come a hollerin'!!

I am from Taiwan but I study in Camden, New Jersey now. I like to know people from different places .

I enjoy clean conversations but am open to conversing with women and men with little ones as well. I am very open-minded. All authorization requests will be denied if I don't receive messages and get to know you first.

I like to be in a company of smart, delicate, and with a good sense of humor people. I am Bulgarian, currently getting my Master's in International Business in USA. Favorite actor: Michael Dudikoff

I love camping, dirt track racing, going for walks, and I have 2 cats - HotRod and Deebo (named from the movie 'Friday' and he lives up to it!). Life is ever changing, never always easy...

I love meeting new people and making new friends. I am a Mary Kay Beauty Consultant. I am married to a wonderful man. We have no children, exept for a minature schnauzer that thinks he is a child. Looking forward to meeting you.

i love to chat to just about anyone!!

I love to dance, read poetry, make people laugh, and hug as many people a day as i can.

I sit with elders of a gentle race, whose world is seldom seen.Who sit and talk of days for which they wait, when all will be revealed. These are song lyrics.

If I'm online, it problably means I'm pretty bored....so feel free to message me and say hi or whatever else comes to mind at the moment.

If you are going to make me cry, at least be there to wipe away the tears *Right now the worst thing for you to tell me that I can find someone better than you, especially when you are all I want

I'm a social butterfly and a natural flirt. Very hard to get my complete attention. Very open and will answer almost anything. But please don't piss me off. I can be sweet and cuddly or a whatever mood I am in that day so everyday

I'm an open minded person and enjoy chatting w/ other people. I'm free and willing to chat about anything. So feel free to Imed me if you wanna chat.

I'm married and I stay at home. And I don't do cyber sex so leave me the fuck alone

i'm tall and skiny I'm studying in Pharm. D program in FL. i like music, movie, dancing, sports, SCUBA diving, traveling and make a lot friends.

Looking forward for a response :P

Love the outdoors, literature, writing, and athletics

My hobbies include crochet, sewing, painting lead figures and playing AD&D. Favorite activities include fishing and camping. I love cats, unicorns(go figure), and fantasy in general.

Nice friends, nice men, nice sex and feeling great. I don't mind the odd bout of cybersex as I love to use my imagination when I masterbate.

Single Mom of 3, Full time college student, Graduate in December with an Associates of Applied Science in Computer Information Systems Love the internet.

When The Trust is Gone So Is The Love That Fades Like the Rain Washing Away All The Sorrows Of Yesterday Why I Ask Myself Must It End Like This Tomorrow, I Tell Myself, I'll Be Okay For Now, I'll Just Live In The Memories Of Our Life Together

You don't know what you've got till it's gone *You hurt me more than I deserve, how can you be so cruel? I love you more than you deserve, how can I be such a fool?

If the attachment is a password-protected zip file, the message body will also include one of the following strings where %s is the password:
archive password: %s
password: %s
pass: %s
password for archive: %s

The attachment name will be one of the following names:
Aline
Anna
Audra
Bad girl
Barbi
Caitie
caroline
Gallery
It_I
Jammie
Juli
Julie
kate
Katrina
Kelley
kleopatra
Lisa
Mandy
Mary
Mary-Anne
myfotos
Photoalbum
Photomontage
Picture
rebecca
Rena
Sara
stacy
Tammy

With one of the following extensions:
.exe
.scr
.zip

The attachment, once run, will first check the system date. The worm will uninstall itself if the date is past March 25, 2004. If not, execution continues and a mutex (mutual exclusion) named "imain_mutex" is created to ensure that only one instance of the worm is running. It then attempts to create the following files:
%System%\go54o.exe
%System%\ii5nj4.exe
%System%\i1ru54n4.exeopen

The DLL "go54o.exe" is then injected into the process space of "explorer.exe". This activates the SMTP engine in such a way that it may slip by software firewall systems with per-process filtering.

So that it executes every time Windows starts, the following registry entry is created:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rate.exe = %System%\i1ru54n4.exe

The worm then generates a unique identifier for the infected host and assigns a TCP port number (2745, by default) of the backdoor server. This information is stored in the registry -- the values:

"uid"="[Random Value]"
"port"="2745"
"frun"="1"

are added to the registry key:

HKEY_CURRENT_USER\SOFTWARE\DateTime4

The backdoor is then started, which listens on the specified port. The unique identifier, backdoor port number and IP address of the infected host are then communicated to one of three webservers listening on TCP port 80 of:
http://postertog.de/scr.php
http://www.gfotxt.net/scr.php
http://www.maiklibis.de/scr.php

It then attempts to terminate the following processes:
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE

Following this, files with the following extensions are scanned for e-mail addresses:
.adb
.asp
.cfg
.dbx
.eml
.htm
.mdx
.mmf
.nch
.ods
.php
.pl
.sht
.tbb
.txt
.wab
.xml

The worm then uses its SMTP engine to transmit copies of itself to the e-mail addresses that were discovered. The worm has its own MIME implementation. It will not send itself to any email addresses that include the following strings:
@avp.
@hotmail.com
@microsoft
@msn.com
local
noreply
postmaster@
root@

Finally, the icon used for the attachment may fool unsuspecting users into believing that the attachment is a folder.

The worm also attempts to propagate through filesharing networks by creating the following copies of itself in folders with the string "shar" in their names:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe