Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Win32.HLLM.Beagle.15872

(WORM_BAGLE.DAM, Email-Worm.Win32.Bagle.a, I-Worm/Bagle.A, Win32/Bagle.A@mm, System error, WORM_BAGLE.A, W32.Beagle.A@mm, W32.Beagle.gen, Win32/Bagle.A!Worm, WORM_BAGLE.GEN, Parser error, WORM_BAGLE.FA, Win32.Bagle.A@mm, W32/Bagle.a@MM)

Added to the Dr.Web virus database: 2004-01-19

Virus description added:

Description

Win32.HLLM.Beagle.15872 is a rather fast-spreading mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems.

The worm is written in high-level programming language and is packed with . The packed size of the program module of the worm is 15, 872 bytes.

The worm mass propagates via e-mail sending its malicious copies to to all the addresses retrieved from files with .txt., .htm, .html and .wab extensions.
The worm is executed by a user of the affected computer himself.
The worm hides its viral nature under the icon of calculator – the legitimate application of Windows.
When in a system, the worm listens on port 6777 and waits for instructions form a remote user. Besides, it tries to establish connection with several web sites the list of which is kept in the worm’s code.

Launching

To secure its automatic execution at every Windows startup the worm adds the value
\"d3update.exe\" = \"%SysDir%\\BBEAGLE.EXE\"
to the registry entry
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

and creates two more registry keys:

  • HKEY_CURRENT_USER\\Software\\Windows98
    \"frun\"
  • HKEY_CURRENT_USER\\Software\\Windows98
    \"uid\"

Spreading

The worm disseminates via e-mail using its own SMTP engine. It harvests addresses for propagation from local Microsoft Windows address book and files with.txt, .htm and .html extensions. The files containing the following strings are excluded from the search:

  • hotmail.com
  • msn.com
  • @microsoft
  • @avp.
  • The mail message infected with the worm looks as follows:

    Subject: Hi
    Message body:

     
     Test =)
     [sequence of random characters]
     Test, yep. 
     
     
    The attachment name varies but always has the .EXE extension
    Attachment size: 15, 872 bytes

    Action

    Being executed, the worm checks the current system date. If the system date exceeds January 28 it immediately terminates. If the system date is prior to January 28, the worm launches calc.exe - a standard Windows application and drops to the Windows\\System folder (in Windows 9x/ME it’s C:\\Windows\\System, in Windows NT/2000 it’s C:\\WINNT\\System32, in Windows XP it’s C:\\Windows\\System32) its copy BBEAGLE.EXE .

    When in a system, the worm listens on port 6777 and waits for instructions form a remote user. Besides, it tries to establish connection with several web sites the list of which is kept in the worm’s code.

     http://www.elrasshop.de/1.php 
     http://www.it-msc.de/1.php 
     http://www.getyourfree.net/1.php 
     http://www.dmdesign.de/1.php 
     http://64.176.228.13/1.php 
     http://www.leonzernitsky.com/1.php 
     http://216.98.136.248/1.php 
     http://216.98.134.247/1.php 
     http://www.cdromca.com/1.php 
     http://www.kunst-in-templin.de/1.php 
     http://vipweb.ru/1.php 
     http://antol-co.ru/1.php 
     http://www.bags-dostavka.mags.ru/1.php 
     http://www.5x12.ru/1.php 
     http://bose-audio.net/1.php 
     http://www.sttngdata.de/1.php 
     http://wh9.tu-dresden.de/1.php 
     http://www.micronuke.net/1.php 
     http://www.stadthagen.org/1.php 
     http://www.beasty-cars.de/1.php 
     http://www.polohexe.de/1.php 
     http://www.bino88.de/1.php 
     http://www.grefrathpaenz.de/1.php 
     http://www.bhamidy.de/1.php 
     http://www.mystic-vws.de/1.php 
     http://www.auto-hobby-essen.de/1.php 
     http://www.polozicke.de/1.php 
     http://www.twr-music.de/1.php 
     http://www.sc-erbendorf.de/1.php 
     http://www.montania.de/1.php 
     http://www.medi-martin.de/1.php 
     http://vvcgn.de/1.php 
     http://www.ballonfoto.com/1.php 
     http://www.marder-gmbh.de/1.php 
     http://www.dvd-filme.com/1.php 
     http://www.smeangol.com/1.php