W32.Beagle.AH@mm

Printer Friendly Page

Discovered: August 09, 2004
Updated: July 22, 2004 11:11:13 PM
Systems Affected: Windows

This is a mass-mailing worm that opens a backdoor on TCP port 1234 and
uses its own SMTP engine to spread through email.

Discovered: August 09, 2004
Updated: July 22, 2004 11:11:13 PM
Systems Affected: Windows

This is a mass-mailing worm that installs a backdoor on infected
systems. It's packed using UPX.

When executed, the worm displays the following fake error message:
Error!
Can't find a viewer associated with the file

It creates the following 7 mutexes. Some of these will prevent variants
of Netsky from launching:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

In order to prevent other worms from executing on Windows startup, it
also deletes the following registry values:
"My AV"
"Zone Labs Client Ex"
"9XHtProtect"
"Antivirus"
"Special Firewall Service"
"service"
"Tiny AV"
"ICQNet"
"HtProtect"
"NetDy"
"Jammer2nd"
"FirewallSvr"
"MsInfo"
"SysMonXP"
"EasyAV"
"PandaAVEngine"
"Norton Antivirus AV"
"KasperskyAVEng"
"SkynetsRevenge"
"ICQ Net"
from the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm then creates the following files:
%System%\FUKULAMER.exe
%System%\FUKULAMER.exeopen, which is a copy of the worm with randomly
appended data)
%System%\FUKULAMER.exeopenopenopenopen, which is not viral by itself

It will also create a file %System%\FUKULAMER.exeopenopen, which will be
a .zip, .vbs, .cpl, .hta file, or the worm itself. One of the following
actions will occur, depending on the file type:
If the file is a .zip file, it will contain two randomly named files.
One will be a .exe file and the other will be a text file with a .ini,
.cfg, .txt, .vxd, .def, or .dll extension.
If the file is a .vbs file and is executed, it will drop a file named
vss_2.exe into the current folder.
If the file is a .cpl file and is executed, it will drop a file
%Windir\cplstub.exe when executed.
If the file is a .hta file and is executed, it will drop a file named
qwrk.exe into the current folder.

It drops the file, %System%\FUKULAMER.exeopenopenopen. If the file
Gdiplus.dll is present on the computer, this file will be a .jpeg or
.gif. Otherwise it will be a .bmp file.

The following registry entry is created so that it executes every time
Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\reg_key
= %System%\FUKULAMER.exe

If the system date is after January 25, 2005, the worm will exit from
memory and delete its registry value, as well as the key:
HKEY_CURRENT_USER\SOFTWARE\base_reg_path

The worm attempts to copy itself to all folders whose names contain the
string SHAR with the following names:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

It will attempt to send itself to email addresses it gathers from the
system from files with the following extensions on the compromised
system:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

The email message constructed by the worm typically has the following
properties:
The from address will be spoofed.

Subject may be one of the following:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document

If the attachment is a .zip file, then the message body will contain one
of the following messages:
For security reasons attached file is password protected. The password
is
For security purposes the attached file is password protected. Password
--
Note: Use password
Attached file is protected with the password for security reasons.
Password is
In order to read the attach you have to use the following password:
Archive password:
Password
Password:

followed by a 5-digit password or a copy of the image file dropped as
FUKULAMER.exeopenopenopen.

If the attachment is not a .zip file, the message body will be one of
the following,
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.

The attachment name will be one of the following:
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message

The attachment extension will be one of the following:
.hta
.vbs
.exe
.scr
.com
.cpl
.zip

The worm will not send itself to addresses containing the following
strings:
@avp.
@foo
@iana
@messagelab
@microsoft
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip

The worm also opens a backdoor on TCP port 1234, which allows the infected computer to be used as an email relay.