W32.Beagle.V@mm

Printer Friendly Page

Discovered: March 29, 2004
Updated: March 29, 2004 3:22:39 PM
Systems Affected: Windows

W32.Beagle.V@mm is a mass-mailing worm that opens a backdoor on TCP port 4751 and uses its own SMTP engine to spread through email. The worm arrives as a blank email with a randomly named attachment. If the compromised system's clock year is 2005 or later, the worm will not run.

Discovered: March 29, 2004
Updated: March 29, 2004 3:22:39 PM
Systems Affected: Windows

W32.Beagle.V@mm is a mass-mailing worm that installs a backdoor on infected systems. The worm arrives as a blank email with a randomly named attachment.

Subject: (Blank)
Message Body: (Blank)
Attachment: game.exe

When run, it will first check for an unnamed mutex, next it will check if it has been executed with the -upd argument (This argument will make the worm execute its updating routines), the worm will then create the following file:
%System%\sysinfo.exe

The following registry entry is then created to hook system startup:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysinfo.exe = %System%\sysinfo.exe

It will also create the following registry key:
HKEY_CURRENT_USER\SOFTWARE\Windows2005

Next the worm will attempt to execute Dredr.exe if it is present on the system.

The worm will then check the compromised system's clock at this point, if the year is 2005 or later, the worm will exit.

The backdoor component of the worm will then open and listen on TCP port 4751. The backdoor allows the remote attacker to download and execute updates for the worm on the compromised system. Additionally the backdoor will permit the attacker to remotely remove the worm installation.

Following this, files with the following extensions are scanned for e-mail addresses:
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

Finally the worm then uses its SMTP engine to transmit copies of itself to the e-mail addresses that were discovered. It will not send itself to any email addresses that include the following strings:
@avp
@microsoft