W32.Beagle.AR@mm

Printer Friendly Page

Discovered: September 28, 2004
Updated: September 28, 2004 7:12:52 PM
Systems Affected: Windows

This is a mass-mailing worm that uses its own SMTP engine to spread. The email attachment is a Mitglieder-like downloader that brings the worm from external sources.

The worm also has a backdoor functionality, opening UDP and TCP port 81.

Discovered: September 28, 2004
Updated: September 28, 2004 7:12:52 PM
Systems Affected: Windows

This is a mass-mailing worm that installs a backdoor on infected systems. It is packed with PeX.

The worm arrives as an attachment with one of the following names with extension (.com, .cpl, .exe, or . scr)
Price
price
Joke

The executable is a Mitglieder-like downloader. If it is executed, it downloads the worm from one of the following domains. The file is renamed from .jpg once it is copied locally:
24-7-transportation.com/ws.jpg
DarrkSydebaby.com/ws.jpg
FritoPie.NET/ws.jpg
adhdtests.com/ws.jpg
aegee.org/ws.jpg
aimcenter.net/ws.jpg
alupass.lu/ws.jpg
amanit.ru/ws.jpg
andara.com/ws.jpg
angelartsanctuary.com/ws.jpg
anthonyflanagan.com/ws.jpg
approved1stmortgage.com/ws.jpg
argontech.net/ws.jpg
asianfestival.nl/ws.jpg
atlantisteste.hpg.com.br/ws.jpg
aviation-center.de/ws.jpg
bbsh.org/ws.jpg
bga-gsm.ru/ws.jpg
boneheadmusic.com/ws.jpg
bottombouncer.com/ws.jpg
bradster.com/ws.jpg
buddyboymusic.com/ws.jpg
bueroservice-it.de/ws.jpg
calderwoodinn.com/ws.jpg
capri-frames.de/ws.jpg
celula.com.mx/ws.jpg
ceskyhosting.cz/ws.jpg
chinasenfa.com/ws.jpg
cntv.info/ws.jpg
compsolutionstore.com/ws.jpg
coolfreepages.com/ws.jpg
corpsite.com/ws.jpg
couponcapital.net/ws.jpg
cpc.adv.br/ws.jpg
crystalrose.ca/ws.jpg
crystalrose.ca/ws.jpg
cscliberec.cz/ws.jpg
curtmarsh.com/ws.jpg
customloyal.com/ws.jpg
deadrobot.com/ws.jpg
dontbeaweekendparent.com/ws.jpg
dragcar.com/ws.jpg
ecofotos.com.br/ws.jpg
elenalazar.com/ws.jpg
ellarouge.com.au/ws.jpg
esperanzaparalafamilia.com/ws.jpg
eurostavba.sk/ws.jpg
everett.wednet.edu/ws.jpg
fcpages.com/ws.jpg
featech.com/ws.jpg
fepese.ufsc.br/ws.jpg
firstnightoceancounty.org/ws.jpg
flashcorp.com/ws.jpg
fleigutaetscher.ch/ws.jpg
fludir.is/ws.jpg
freeservers.com/ws.jpg
gamp.pl/ws.jpg
gci-bln.de/ws.jpg
gcnet.ru/ws.jpg
generationnow.net/ws.jpg
gfn.org/ws.jpg
giantrevenue.com/ws.jpg
glass.la/ws.jpg
handsforhealth.com/ws.jpg
hartacorporation.com/ws.jpg
himpsi.org/ws.jpg
idb-group.net/ws.jpg
immonaut.sk/ws.jpg
ims-i.com/ws.jpg
innnewport.com/ws.jpg
irakli.org/ws.jpg
irinaswelt.de/ws.jpg
jansenboiler.com/ws.jpg
jasnet.pl/ws.jpg
jhaforpresident.7p.com/ws.jpg
jimvann.com/ws.jpg
jldr.ca/ws.jpg
justrepublicans.com/ws.jpg
kencorbett.com/ws.jpg
knicks.nl/ws.jpg
kps4parents.com/ws.jpg
kradtraining.de/ws.jpg
kranenberg.de/ws.jpg
lasermach.com/ws.jpg
leonhendrix.com/ws.jpg
magicbottle.com.tw/ws.jpg
mass-i.kiev.ua/ws.jpg
mepbisu.de/ws.jpg
mepmh.de/ws.jpg
metal.pl/ws.jpg
mexis.com/ws.jpg
mongolische-renner.de/ws.jpg
mtfdesign.com/ws.jpg
oboe-online.com/ws.jpg
ohiolimo.com/ws.jpg
onepositiveplace.org/ws.jpg
oohlala-kirkland.com/ws.jpg
orari.net/ws.jpg
pankration.com/ws.jpg
pe-sh.com/ws.jpg
pfadfinder-leobersdorf.com/ws.jpg
pipni.cz/ws.jpg
polizeimotorrad.de/ws.jpg
programmierung2000.de/ws.jpg
pyrlandia-boogie.pl/ws.jpg
raecoinc.com/ws.jpg
realgps.com/ws.jpg
redlightpictures.com/ws.jpg
reliance-yachts.com/ws.jpg
relocationflorida.com/ws.jpg
rentalstation.com/ws.jpg
rieraquadros.com.br/ws.jpg
scanex-medical.fi/ws.jpg
sea.bz.it/ws.jpg
selu.edu/ws.jpg
sigi.lu/ws.jpg
sljinc.com/ws.jpg
smacgreetings.com/ws.jpg
soloconsulting.com/ws.jpg
spadochron.pl/ws.jpg
srg-neuburg.de/ws.jpg
ssmifc.ca/ws.jpg
sugardas.lt/ws.jpg
sunassetholdings.com/ws.jpg
szantomierz.art.pl/ws.jpg
the-fabulous-lions.de/ws.jpg
tivogoddess.com/ws.jpg
tkd2xcell.com/ws.jpg
topko.sk/ws.jpg
transportation.gov.bh/ws.jpg
travelchronic.de/ws.jpg
traverse.com/ws.jpg
uhcc.com/ws.jpg
ulpiano.org/ws.jpg
uslungiarue.it/ws.jpg
vandermost.de/ws.jpg
vbw.info/ws.jpg
velezcourtesymanagement.com/ws.jpg
velocityprint.com/ws.jpg
vikingpc.pl/ws.jpg
vinirforge.com/ws.jpg
wecompete.com/ws.jpg
worest.com.ar/ws.jpg
woundedshepherds.com/ws.jpg
wwwebad.com/ws.jpg
wwwebmaster.com/ws.jpg

The worm terminates the following security processes:
mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe



The downloaded files are executed, which activates the worm component.

The worm creates the following mutexes. Some of these will prevent variants of Netsky from launching:
'D'r'o'p'p'e'd'S'k'y'N'e't'
AdmSkynetJklS003
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
[SkyNet.cz]SystemsMutex
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
____--->>>>U<<<<--____


In order to prevent other worms from executing on Windows startup, it also deletes the following registry values:
"9XHtProtect"
"Antivirus "
"My AV"
"Special Firewall Service"
"service"
"Tiny AV"
"ICQNet"
"HtProtect"
"NetDy"
"Jammer2nd"
"FirewallSvr"
"MsInfo"
"SysMonXP"
"EasyAV"
"PandaAVEngine"
"Norton Antivirus AV"
"KasperskyAVEng"
"SkynetsRevenge"
"ICQ Net"
"Zone Labs Client Ex"

from the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm then creates the following files:
%System%\bawindo.exe
%System%\bawindo.exeopen
%System%\bawindo.exeopenopen
%System%\re_file.exe

The following registry entry is created so that it executes every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"bawindo" = "%System%\bawindo.exe"

The worm attempts to copy itself to all folders whose names contain the string SHAR with the following names:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
KAV 5.0
Kaspersky Antivirus 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe


It will attempt to send itself to email addresses it gathers from the system from files with the following extensions on the compromised system:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

The email message constructed by the worm typically has the following properties:
The from address will be spoofed.

Subject is one of the following:
Re:
Re: Hello
Re: Hi
Re: Thank you!
Re: Thanks :)


Body Text is
:))


The worm will not send itself to addresses containing the following strings:
@avp.
@foo
@hotmail
@iana
@messagelab
@microsoft
@msn
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip


The worm also opens a backdoor on TCP and UDP port 81, which allows the infected computer to be used as an email relay.