- July 4, 2004
- July 5, 2004 10:44:44 AM
W32.Beagle.Y@mm is a mass-mailing worm that installs a backdoor on infected systems. It sends itself to email addresses it gathers from files with the following extensions on the compromised system:
The email message constructed by the worm typically has the following properties:
The from address will be spoofed.
Subject may be one of the following:
Re: Msg reply
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
RE: Protected message
The message body is one of the following:
Read the attach.
Your file is attached.
More info is in attach
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
The attachment name will be one of the following:
The attachment extension will be one of the following:
When executed, the worm displays the following fake error message:
Can't find a viewer associated with the file
It then creates the following 7 mutexes:
Some of these will prevent variants of Netsky from launching. It also deletes several registry values in order to prevent other worms from executing on Windows startup:
"Zone Labs Client Ex"
"Special Firewall Service"
"Norton Antivirus AV"
from the keys:
The worm will then create the following files:
%System%\loader_name.exeopen (copy of the worm with randomly appended data)
The following registry entry is created:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\reg_key = %System%\loader_name.exe
The worm opens a backdoor on TCP port 1234. It also allows the compromised system to be used as an email relay.
The worm attempts to copy itself to all folders containing the string "SHAR" in their names. The following files are created:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
The worm contains its source code in itself.