Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Win32.HLLM.Beagle.28160

(WORM_BAGLE.D, Worm/Bagle.F.DOC, W32/Bagle.dll.gen, Email-Worm.Win32.Bagle.e, System error, W32.Beagle.gen, Win32.Worm.Bagle.e, WORM_BAGLE.GEN, I-Worm/Bagle.E, WORM_BAGLE.C, Win32.Worm.Bagle.c, Win32.Bagle.E@mm, Email-Worm.Win32.Bagle.c, Email-Worm.Win32.Bagle.d, Win32/Bagle.C!DLL2!Worm, WORM_BAGLE.E, I-Worm/Bagle.C, Worm:Win32/Bagle.E@mm, Win32.Bagle.D@mm, Win32.Worm.Bagle.d)

Added to the Dr.Web virus database: 2004-02-28

Virus description added:

Description

Win32.HLLM.Beagle.28160 (Beagle.C) is a mass-mailing worm hitting computers which are running under Windows 95/98/Me/NT/2000/XP. It arrives as an executable module packed with UPX compression utility. The packed file size is 15, 872 bytes. It may spread via e-mail as a zip-archive which size is 15, 944 bytes.

Launching

Being activated, the worm points to its copy in the system registry:

HKEY_LOCAL_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
\"gouday.exe\" = \"%SysDir%\\readme.exe\",

thus securing its subsequent launch at every Windows-session.

Spreading

the worm disseminates via e-mail, sending itself with the help of its own SMTP engine. The executable module of the worm is distributed inside the zip-archive attached to the message. The name for the archive is randomly chosen. The worm retrieves addresses for propagation from the files with the following extensions:

         .wab 
         .txt 
         .htm 
         .html 
         .dbx 
         .mdx 
         .eml 
         .nch 
         .mmf 
         .ods 
         .cfg 
         .asp 
         .php 
         .pl 
         .adb 
         .sht
         
The address containing the following strings are excluded from the search:
         @hotmail.com 
         @msn.com 
         @microsoft 
         @avp. 
         noreply 
         local 
         root@ 
         postmaster@
         
The subject of the message the worm distributes itself with may be one of the following:
        Price
        New Price-list
        Hardware devices price-list
        Weekly activity report
        Daily activity report
        Maria
        Jenny
        Jessica
        Registration confirmation
        USA government abolishes the capital punishment
        Freedom for everyone
        Flayers among us
        From Hair-cutter
        Melissa
        Camila
        Price-list
        Pricelist
        Price list
        Hello my friend
        Hi!
        Well...
        Greet the day
        The account
        Looking for the report
        You really love me? he he
        You are dismissed
        Accounts department
        From me
        Monthly incomings summary
        The summary
        Proclivity to servitude
        Ahtung!
        The employee
        
        

Action

Being executed, the worm creates its copy in the Windows\\System folder (in Windows 9x/ME it’s C:\\Windows\\System, in Windows NT/2000 it’s C:\\WINNT\\System32, in Windows XP it’s C:\\Windows\\System32) and also drops several more files to the same folder:

  • doc.exe – procedure loading a system library
  • onde.exe - system library containing the mass-mailing procedure to send out the worm via e-mail
  • readme.exeopen - a zip-archive with the worm\'s executable module, randomly named; this archive file is mail out by the worm
  • The worm injects its mass mailing procedure to the address space of Explorer. Besides, it opens port 2745 and starts listening the Internet waiting for external instructions from its creator. Thus, the worm does not exist as an independent process in memory, it actually parasitize in one of the main process of Windows.

    The backdoor procedure run by the worm, contains one more destructive feature. It blocks execution of different virus updating applications of the following antivirus programs:

              ATUPDATER.EXE
              AVWUPD32.EXE
              AVPUPD.EXE
              LUALL.EXE
              DRWEBUPW.EXE
              ICSSUPPNT.EXE
              ICSUPP95.EXE
              UPDATE.EXE
              NUPGRADE.EXE
              ATUPDATER.EXE
              AUPDATE.EXE
              AUTODOWN.EXE
              AUTOTRACE.EXE
              AUTOUPDATE.EXE
              AVXQUAR.EXE
              CFIAUDIT.EXE
              MCUPDATE.EXE
              NUPGRADE.EXE
              OUTPOST.EXE
              AVLTMAIN.EXE
              
    Pay attention, that Dr.Web updating utility (DRWEBUPW.EXE) is on the list too and this makes difficult worm’s detection by antivirus means. If you failed to run the updating utility we recommend to delete from the system registry the entry pointing to the worm’s copy (see above) and then reboot the system. This time the updating utility will normally function.

    besides, the backdoor procedure makes attempts to connect to the following web sites:

             http: // permail.uni-muenster.de/
             http: // www. songtext.net/de/
             http: // www. sportscheck.de/ 
             
    and send there a number of the port opened and the ID of the infected system to PHP-application.

    If the system date in the infected machine equals or exceeds March 14, the worm immediately terminates.