W32.Beagle.AA@mm

Printer Friendly Page

Discovered: July 12, 2004
Updated: July 13, 2004 1:21:27 AM
Systems Affected: Windows

W32.Beagle.AA@mm is a mass-mailing worm that opens a backdoor on TCP port
1234 and uses its own SMTP engine to spread through email.

Discovered: July 12, 2004
Updated: July 13, 2004 1:21:27 AM
Systems Affected: Windows

W32.Beagle.AA@mm is a mass-mailing worm that installs a backdoor on infected systems.

It sends itself to email addresses it gathers from files with the following extensions on the compromised system:
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

The email message constructed by the worm typically has the following properties:

The from address will be spoofed.

Subject may be one of the following:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document

If the attachment is a .zip file, then the message body will contain one of the following messages:
For security reasons attached file is password protected. The password is
For security purposes the attached file is password protected. Password --
Note: Use password
Attached file is protected with the password for security reasons. Password is
In order to read the attach you have to use the following password:
Archive password:
Password
Password:

followed by a copy of the image file dropped as loader_name.exeopenopen.

If the attachment is not a .zip file, the message body will be one of the following,
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.

The attachment name will be one of the following:
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message

The attachment extension will be one of the following:
hta
vbs
exe
scr
com
cpl
zip


When executed, the worm displays the following fake error message:
Error!
Can't find a viewer associated with the file

It then creates the following 7 mutexes:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

Some of these will prevent variants of Netsky from launching. It also deletes several registry values in order to prevent other worms from executing on Windows startup:
"My AV"
"Zone Labs Client Ex"
"9XHtProtect"
"Antivirus"
"Special Firewall Service"
"service"
"Tiny AV"
"ICQNet"
"HtProtect"
"NetDy"
"Jammer2nd"
"FirewallSvr"
"MsInfo"
"SysMonXP"
"EasyAV"
"PandaAVEngine"
"Norton Antivirus AV"
"KasperskyAVEng"
"SkynetsRevenge"
"ICQ Net"

from the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm will then create the following files:
%System%\loader_name.exe
%System%\loader_name.exeopen (copy of the worm with randomly appended data)

It will also create a file %System%\loader_name.exeopenopen, which will be a .zip file, .vbs file, .cpl file, .hta file, or the worm itself. One of the following actions will occur, depending on the file type:
If the file is a .zip file, it will contain two randomly named files. One will be a .exe file and the other will be a text file with a .sys, .dat, .idx, .vxd, .vid, or .dll extension.
If the file is a .vbs file and is executed, it will drop a file named vss_2.exe into the current folder.
If the file is a .cpl file and is executed, it will drop a file named cplstub.exe into the %Windir% folder.
If the file is a .hta file and is executed, it will drop a file named qwrk.exe into the current folder.

It drops the file, %System%\loader_name.exeopenopenopen. If the file Gdiplus.dll is present on the computer, this file will be a .jpg or .gif. Otherwise it will be a .bmp file.

The following registry entry is created:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\reg_key = %System%\loader_name.exe

If the system date is after January 25, 2005, the worm will exit from memory and delete its registry value, as well as the key:
HKEY_CURRENT_USER\SOFTWARE\base_reg_path

The worm opens a backdoor on TCP port 1234. It also allows the compromised system to be used as an email relay.

The worm attempts to copy itself to all folders containing the string "SHAR" in their names. The following files are created:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe