W32.Beagle.Z@mm

Printer Friendly Page

Discovered: July 05, 2004
Updated: July 05, 2004 7:08:37 PM
Systems Affected: Windows

W32.Beagle.Z@mm is a mass-mailing worm that opens a backdoor on TCP port
1234 and uses its own SMTP engine to spread through email. The worm contains its source code in itself.

Discovered: July 05, 2004
Updated: July 05, 2004 7:08:37 PM
Systems Affected: Windows

W32.Beagle.Z@mm is a mass-mailing worm that installs a backdoor on infected systems. It's only difference from W32.Beagle.Y@mm is that it's packed using PeX.

It sends itself to email addresses it gathers from files with the following extensions on the compromised system:
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

The email message constructed by the worm typically has the following properties:
The from address will be spoofed.

Subject may be one of the following:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document

The message body is one of the following:
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.

The attachment name will be one of the following:
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message

The attachment extension will be one of the following:
hta
vbs
exe
scr
com
cpl
zip


When executed, the worm displays the following fake error message:
Error!
Can't find a viewer associated with the file

It then creates the following 7 mutexes:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

Some of these will prevent variants of Netsky from launching. It also deletes several registry values in order to prevent other worms from executing on Windows startup:
"My AV"
"Zone Labs Client Ex"
"9XHtProtect"
"Antivirus"
"Special Firewall Service"
"service"
"Tiny AV"
"ICQNet"
"HtProtect"
"NetDy"
"Jammer2nd"
"FirewallSvr"
"MsInfo"
"SysMonXP"
"EasyAV"
"PandaAVEngine"
"Norton Antivirus AV"
"KasperskyAVEng"
"SkynetsRevenge"
"ICQ Net"

from the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm will then create the following files:
%System%\loader_name.exe
%System%\loader_name.exeopen (copy of the worm with randomly appended data)
%System%\loader_name.exeopenopen

The following registry entry is created:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\reg_key = %System%\loader_name.exe

The worm opens a backdoor on TCP port 1234. It also allows the compromised system to be used as an email relay.

The worm attempts to copy itself to all folders containing the string "SHAR" in their names. The following files are created:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

The worm contains its source code in itself.