W32.Beagle.AQ@mm

Printer Friendly Page

Discovered: August 31, 2004
Updated: September 01, 2004 7:03:35 AM
Systems Affected: Windows

This is a mass-mailing worm that uses its own SMTP engine to spread. The email attachment is a Mitglieder-like downloader that brings the worm from external sources.

The worm also has a backdoor functionality, opening UDP and TCP port 80.

Discovered: August 31, 2004
Updated: September 01, 2004 7:03:35 AM
Systems Affected: Windows

This is a mass-mailing worm that uses its own SMTP engine to spread. The email attachment is a Mitglieder-like downloader that brings the worm from external sources. The worm also has a backdoor functionality, opening UDP and TCP port 80.

The worm creates the following files:
%System%\windll.exe
%System%\windll.exeopen
%System%\windll.exeopenopen

The following registry entry is created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\erthgdr = %System%\windll.exe

The worm creates the following mutexes. Some of these will prevent variants of Netsky from launching:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

The Trojan terminates the service "SharedAccess", and then sets the Startup type of this service to Disabled. It also attempts to terminate the following processes:
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
UPGRADER.EXE

In order to prevent other worms from executing on Windows startup, the Trojan also deletes the following registry values:
"9XHtProtect"
"Antivirus "
"My AV"
"Special Firewall Service"
"service"
"Tiny AV"
"ICQNet"
"HtProtect"
"NetDy"
"Jammer2nd"
"FirewallSvr"
"MsInfo"
"SysMonXP"
"EasyAV"
"PandaAVEngine"
"Norton Antivirus AV"
"KasperskyAVEng"
"SkynetsRevenge"
"ICQ Net"
"Zone Labs Client Ex"
from the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n

Due to a bug in the worm, it will try to delete the registry key under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
not from the the usual registry key of
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm attempts to copy itself to all folders whose names contain the string SHAR with the following names:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

The executable is a Mittglieder-like downloader. If it is executed, it downloads 6.jpg or b.jpg from one of the following sites, and saves it under %System%\_re_file.exe:
allianzsp.sk
coolweb.psg.sk
cryofthespirit.com
dollypop.com
execpage.com
helpdemos.com
helpingyouth.org
jamesbronner.com
koti.pl
miracle.v6.cz
mountainwings.com
mountainwings4.com
naturalpros.com
oracal.pl
shock.evernet.com.pl
SportLine.go.ro
stroipolymer.ru
theonlineword.com
virtualchurch.com
visionforsouls.org
wingsoverlife.com
www.1800thewoman.com
www.1944.pl
www.45partsdepot.com
www.7pe.friko.pl
www.air-computers.com.ar
www.ametist.spb.ru
www.apodis.pl
www.arrasy.pl
www.arthurspeaks.com
www.astermed.pl
www.atomique.pl
www.atw.hu
www.avatar.ee
www.avers.com.pl
www.baltexpo.spb.ru
www.bomart.cz
www.bravo.gliwice.pl
www.bronnerbros.com
www.buycare.com
www.cumparacd.go.ro
www.da-rom.co.il
www.domu.net
www.eastandard.co.ke
www.elblu.republika.pl
www.elcorsy.com
www.elite-style.com
www.enduser1.fast.net
www.enitex.by
www.enitex-m.by
www.eris.pl
www.europharm.pl
www.extreme-racing.lg.ua
www.fotel.pl
www.fotolab.sk
www.frater.hu
www.gardameditech.com
www.generex.de
www.goldgates.com
www.goodboy.dem.ru
www.hards.pl
www.healthcometh.com
www.holz-studio.at
www.ibplus.sk
www.icpnet.pl
www.icpnet.pl
www.inlan.sk
www.jamesbronner.com
www.jbplus.cz
www.justmatchit.com
www.kubtelecom.ru
www.kuda.com.ua
www.lacittadifiorenzuola.it
www.lotusdog.net
www.ltvo.spb.ru
www.master.pl
www.members.aon.at
www.moteplassen1.com
www.mountainwings2.com
www.multifoto.sk
www.nadodrze.pl
www.nairobiwebspace.com
www.nameitright.com
www.nardo.bbe.pl
www.netland.gda.pl
www.netta.pl
www.nikola.piwko.pl
www.ntrlab.com
www.nustep.sk
www.octava.pl
www.odevnictvo.sk
www.oftza.friko.pl
www.oktbroiler.ru
www.online40.com
www.online50.com
www.oto.lv
www.pancoopzsv.co.yu
www.pay5495.com
www.pc-hard.com.ua
www.perfect-beauty.at
www.pharmag.pl
www.polsl.katowice.pl
www.prophetcollins.com
www.propi.cz
www.pursuit.rv.ua
www.pyrlandia-boogie.pl
www.quatro.sk
www.r-bazar.ru
www.roszkowski.pl
www.silvic.ro
www.sincron.go.ro
www.skylive.pl
www.smgkrc.pl
www.soulring.com
www.star-max.it
www.sunbud.com.pl
www.swez.net
www.system5electronics.com
www.tcvwebtv.com.ar
www.thewoman.com
www.tivis.cz
www.ukpl.pl
www.vacation-network.net
www.wyspian.iap.pl
www.zasada-rowery.pl

The downloader component adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wersds = "%System%\doriot.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\wersds = "%System%\doriot.exe"

It creates the following files:
%System%\Doriot.exe (A copy of foto1.exe)
%System%\Gdqfw.exe (A downloader module)

It has been reported that the files %System%\Doriot.exe and %System%\gdqfw.exe may be known as %System%\wwnrot.exe and %System%\ewerfw.exe respectively.

It will attempt to send itself to email addresses it gathers from the system from files with the following extensions on the compromised system:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

The email message constructed by the worm typically has the following properties:
The from address will be spoofed.

The attachment name will be "fotos.zip", which contains a foto.html file and foto1.exe. There is a mechanism in the code to password-protect the zip file, but due to bugs in the code, this does not occur.

The worm will not send itself to addresses containing the following strings:
@avp.
@derewrdgrs
@eerswqe
@foo
@iana
@messagelab
@microsoft
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip

The worm also opens a backdoor on TCP and UDP port 80, which allows the infected computer to be used as an email relay.