Discovered: March 26, 2004
Updated: March 26, 2004 3:53:07 PM
Systems Affected: Windows
W32.Beagle.U@mm is a mass-mailing worm that opens a backdoor on TCP port 4751 and uses its own SMTP engine to spread through email. The worm arrives as a blank email with a randomly named attachment. If the compromised system's clock year is 2005 or later, the worm will not run.
W32.Beagle.U@mm is a mass-mailing worm that installs a backdoor on infected systems. The worm arrives as a blank email with a randomly named attachment.
Message Body: (Blank)
Attachment: (random name).exe
When run, it will first check for an unnamed mutex, next it will check if it has been executed with the -upd argument (This argument will make the worm execute its updating routines), the worm will then create the following file:
The following registry entry is then created to hook system startup:
It will also create the following registry key:
With the following sub entries:
Next the worm will attempt to execute mshearts.exe (the executable for Microsoft Hearts game).
The worm will then check the compromised system's clock at this point, if the year is 2005 or later, the worm will exit.
The backdoor component of the worm will then open and listen on TCP port 4751. The backdoor allows the remote attacker to download and execute updates for the worm on the compromised system. Additionally the backdoor will permit the attacker to remotely remove the worm installation.
The worm will then notify the following website of a successful compromise:
Following this, files with the following extensions are scanned for e-mail addresses:
Finally the worm then uses its SMTP engine to transmit copies of itself to the e-mail addresses that were discovered. It will not send itself to any email addresses that include the following strings: