W32.Beagle.U@mm

Printer Friendly Page

Discovered: March 26, 2004
Updated: March 26, 2004 3:53:07 PM
Systems Affected: Windows

W32.Beagle.U@mm is a mass-mailing worm that opens a backdoor on TCP port 4751 and uses its own SMTP engine to spread through email. The worm arrives as a blank email with a randomly named attachment. If the compromised system's clock year is 2005 or later, the worm will not run.

Discovered: March 26, 2004
Updated: March 26, 2004 3:53:07 PM
Systems Affected: Windows

W32.Beagle.U@mm is a mass-mailing worm that installs a backdoor on infected systems. The worm arrives as a blank email with a randomly named attachment.

Subject: (Blank)
Message Body: (Blank)
Attachment: (random name).exe

When run, it will first check for an unnamed mutex, next it will check if it has been executed with the -upd argument (This argument will make the worm execute its updating routines), the worm will then create the following file:
%System%\gigabit.exe

The following registry entry is then created to hook system startup:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"gigabit.exe"="%System%\gigabit.exe"

It will also create the following registry key:
HKEY_CURRENT_USER\SOFTWARE\Windows2004
With the following sub entries:
gsed
fr1n

Next the worm will attempt to execute mshearts.exe (the executable for Microsoft Hearts game).

The worm will then check the compromised system's clock at this point, if the year is 2005 or later, the worm will exit.

The backdoor component of the worm will then open and listen on TCP port 4751. The backdoor allows the remote attacker to download and execute updates for the worm on the compromised system. Additionally the backdoor will permit the attacker to remotely remove the worm installation.

The worm will then notify the following website of a successful compromise:
http://www.werde.de

Following this, files with the following extensions are scanned for e-mail addresses:
wab
txt
msg
htm
shtm
stm
xml
dbx
mbx
mdx
eml
nch
mmf
ods
cfg
asp
php
pl
wsh
adb
tbb
sht
xls
oft
uin
cgi
mht
dhtm
jsp

Finally the worm then uses its SMTP engine to transmit copies of itself to the e-mail addresses that were discovered. It will not send itself to any email addresses that include the following strings:
@avp
@microsoft