W32.Beagle.BP@mm

Printer Friendly Page

Discovered: April 21, 2005
Updated: April 21, 2005 10:22:35 PM
Systems Affected: Windows

W32.Beagle.BP@mm is a mass-mailing worm that uses its own SMTP engine to send out copies of a Trojan.Tooso variant. The worm also opens a back door on the compromised computer on TCP port 80.

Discovered: April 21, 2005
Updated: April 21, 2005 10:22:35 PM
Systems Affected: Windows

W32.Beagle.BP@mm is a mass-mailing worm that uses its own SMTP engine to send out copies of a Trojan.Tooso variant. The worm also opens a back door on the compromised computer on TCP port 80.

When the worm is executed, it copies itself as the following file:
%System%\svc.exe

The worm creates following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"erthgdr" = "%System%\svc.exe"

It may create the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n

The worm creates the following mutexes, which may prevent variants of Netsky from launching:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

The worm deletes the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"My AV"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"Zone Labs Client Ex"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"9XHtProtect"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"Antivirus "
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"Special Firewall Service"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"service"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"Tiny AV"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"ICQNet"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"HtProtect"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"NetDy"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"Jammer2nd"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"FirewallSvr"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"MsInfo"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"SysMonXP"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"EasyAV" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"PandaAVEngine"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"Norton Antivirus AV"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"KasperskyAVEng"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"SkynetsRevenge"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"ICQ Net"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"My AV"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"Zone Labs Client Ex"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"9XHtProtect"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"Antivirus "
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"Special Firewall Service"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"service"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"Tiny AV"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"ICQNet"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"HtProtect"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"NetDy"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"Jammer2nd"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"FirewallSvr"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"MsInfo"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"SysMonXP"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"EasyAV"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"PandaAVEngine"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"Norton Antivirus AV"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"KasperskyAVEng"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"SkynetsRevenge"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"ICQ Net"

The worm connects to smtp.earthlink.net on TCP port 25 to verify network connectivity.

If the date is later than April 12, 2008, the worm attempts to delete the following registry entries and exits:
HKEY_CURRENT_USER\Software\ert
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"erthgdr"

The worm attempts to download a file from the following URL, saved locally as %System%\re_file.exe, and run the file:
http://loca2/s1.php
http://loca2/s3.php

The worm opens a back door on TCP port 80, which may act as a proxy server.

The worm attempts to access the following Web sites and download the file, saved locally as %Windir%\eml.exe:
http:/ /nudp.com/impp1art02.php
http:/ /nudp.com/impp1art03.php
http:/ /nudp.com/impp1art04.php
http:/ /nudp.com/impp1art05.php
http:/ /nudp.com/impp1art06.php
http:/ /nudp.com/impp1art07.php
http:/ /nudp.com/impp1art08.php
http:/ /nudp.com/impp1art09.php
http:/ /nudp.com/impp1art10.php
http:/ /nudp.com/impp1art11.php
http:/ /thelittleflirt.com/2/part02.php
http:/ /thelittleflirt.com/2/part03.php
http:/ /thelittleflirt.com/2/part04.php
http:/ /thelittleflirt.com/2/part05.php
http:/ /thelittleflirt.com/2/part06.php
http:/ /thelittleflirt.com/2/part07.php
http:/ /thelittleflirt.com/2/part08.php
http:/ /thelittleflirt.com/2/part09.php
http:/ /thelittleflirt.com/2/part10.php
http:/ /thelittleflirt.com/2/part11.php

The worm carries a Trojan.Tooso variant in its code. It attempts to email a copy of a Trojan.Tooso variant to the email addresses that are contained in the downloaded file.

The email has the following characteristics:

From: Spoofed.

Subject: Blank.

Message: <br><br>

Attachment: One of the following:
Price_new.zip
Price_new_16_04_05.zip
Work.zip
Be_not_jealous.zip

The attachment is an archive file that contains an executable copy of a Trojan.Tooso variant. The file name is one of the following,
18_04_2005.exe
14_04_2005.exe

The worm does not send itself to addresses containing the following strings:
@avp.
@derewrdgrs
@eerswqe
@foo
@iana
@messagelab
@microsoft
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip