Beagle Worms (AKA "Bagle Worms")

• Beagle.A
• Beagle.E
• Beagle.F
• Beagle.I
• Beagle.J
• Beagle.K
• Beagle.W
• Beagle.X
• Beagle.AD
• Beagle.AG
• Beagle.AH
• Beagle.AU
• Beagle.AV
• Beagle.OH
• Beagle.AQ
• Beagle.AZ


_____________

Beagle.A

<<Back to Virus Archive home

Beagle.E

The Beagle.E (W32Beagle.E@mm or Win32.Bagle.E) worm is another mutant of the Beagle mass-mailing worm that targets Windows computers. It arrives as a message from a spoofed address, one it has found in systems that it has infected. The subject of each message varies; examples include “Hello my friend,” “Melissa,” “The account,” and “You are dismissed.” The actual message content is “Request,” “Empty,” “Response,” “Everything inside the attach,” “Look it through,” and “Cya.” The attachment is a zipped .exe file, but each message contains an icon of a graphics file to deceive users into thinking that the attachment is not an executable. The name of the attachment consists of random characters.

If a user opens the attachment (and enters the password, if the file is password-protected), Beagle.E determines whether the system date is after March 25, 2004. If it is, the worm uninstalls itself. Otherwise, it creates a mutex named "imain_mutex" and then inserts a copy of itself as %systemroot%\ i1ru74n4.exe. If a copy of the worm has been executed, and if the copy is not named i1ru74n4.exe, or if the copy is not in the system folder, Beagle.E also starts notepad.exe. It also creates several files: %systemroot%\ godo.exe (the executable for the mail engine Beagle.E creates; although it has a .exe extension, it is actually a dynamic link library file), %systemroot%\ i455nj4.exe (used to load godo.exe), and a zip file, %systemroot%\ i1ru74n4.exeopen. Beagle.E also adds
"rate.exe"="%systemroot%\i1ru54n4.exe" to the

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

key in the Registry, making Beagle.E start whenever the infected system goes through the boot sequence. Additionally, it adds the values "uid"="[random number]," "port"="2745," or "frun"="1" to the Registry key:

HKEY_CURRENT_USER\SOFTWARE\DateTime4

Beagle.E also creates a backdoor on TCP port 2745, making this worm’s author able to remotely access the victim system by sending a predetermined input string. Additionally, this worm attempts to inform its author of each system it has infected by sending information about each victim system to three Web sites, postertog.de, www.maiklibis.de, and www.gfotxt.net. Next it tries to stop processes such as autotrace.exe, icssuppnt.exe, and update.exe that update anti-virus software and/or patch vulnerabilities. It creates a mail engine and sends messages containing infected attachments to addresses that it has located in the infected system’s address books.

If your system should become infected with the Beagle.E worm, go here for details concerning how to remove this worm and the changes it has made from your system.

Beagle.F

The Beagle.F (W32Beagle.F@mm or Win32.Bagle.F) worm is a mutant of the Beagle mass mailing worm that targets Windows computers. It arrives as a message from a bogus sender’s address, based on email addresses it has found in systems that it infects (as explained more fully later). The subject varies widely; examples include “Hey, dude, it's me ^_^ :P,” “Gallery photos,” “Hi! :-),” “^_^ meay-meay!,” “^_^ mew-mew (-:,” “My beautiful person,” “My photos,” and a variety of women’s names. A variety of message bodies, including “i love to chat to just about anyone!!,” “Argh, i don't like the plaintext :),” and “Looking forward for a response :P,” is displayed. Attachment names have extensions of .exe,.scr, or.zip. Each message contains an icon of a file folder to deceive users into thinking that the attachment is a folder. .zip files may be password-protected: if so, Beagle.F will include one of the following strings in a message: “password: %s,” “pass: %s,”“archive password: %s,” or “password for archive: %s.”

If a user opens the attachment (and enters the password, if the file is password-protected), Beagle.F determines whether the system date is after March 25, 2004. If it is, the worm uninstalls itself, but if not, it creates a mutex called "imain_mutex." It then writes itself as %systemroot%\i1ru54n4.exe and creates several files: %systemroot%\go54o.exe (used for the mail engine Beagle.F creates), %systemroot%\ii5nj4.exe (used to load another dynamic link library, and %systemroot%\i1ru54n4.exeopen (a .zip file). This worm also adds
"rate.exe"="%systemroot%\i1ru54n4.exe" to

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

key in the Registry, causing Beagle.F to start whenever the infected system boots. Additionally, it adds the value "frun"="1" to

HKEY_CURRENT_USER\Software\winword

Beagle.F sets up backdoor access on TCP port 2745, enabling this worm’s author to gain unauthorized remote access to the victim system by sending a certain input string. Furthermore, this worm notifies its author by transmitting information about the victim system to certain Web sites, postertog.de, www.maiklibis.de, and www.gfotxt.net. Then it tries to stop processes such as atupdater.exe, icssuppnt.exe, mcupdate.exe, and nupgrade.exe that update anti-virus software and/or patch vulnerabilities. It creates a mail engine and starts spewing messages with infected attachments to addresses that it has found in the infected system’s address books and also tries to spread itself through peer-to-peer file-sharing networks such as KaZaA and Gnutella by inserting itself into the folders with "shar" in their names.

If your system should become infected with the Beagle.F worm, go here for details concerning how to remove this worm and the changes it has made from your system.

<<Back to Virus Archive home

Beagle.I

The Beagle.I (W32Beagle.I@mm or Win32.Bagle.I) worm is one of the many variants of the Beagle mass mailing worm programmed to infect Windows systems. It arrives as a message with one of the following subjects: “Hi! :-),” “ello! =)),” “^_^ meay-meay!,” “^_^ mew-mew (-:”,” “Hey, ya! =)),” “Weah, hello! :-),” or “Weeeeee! ;))).” The indicated sender’s address is spoofed, with each apparent address obtained from address books in infected systems (as described below). The message body is “The access is open !!!,” “You have won!!!,” “Hey, dude, it's me ^_^ :P,” or “Argh, i don't like the plaintext :)” followed by “btw <random string> is a password for archive.” Each message contains an attachment consisting of a .zip file with names such as Text, Cocument TextDocument, TextFile, Message Msg, Msginfo, Readme, TextDocument, Letter, and others.

Unless the system’s anti-virus software is up to date, when someone uses the provided password to open the attachment, Beagle.I creates a mutex called "imain_mutex." Afterwards this worm copies itself to %systemroot%\ i11r54n4.exe in the infected computer. Beagle.I then causes itself to start with every boot by adding the value "rate.exe"="%System%\i11r54n4.exe" to the following Registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Beagle.I also sets up unauthorized backdoor access via TCP port 2745 so that whoever wrote this worm can remotely control the compromised system by sending a specially formatted text string to the infected machine on this port. Furthermore, this worm sends HTTP GET requests to www.gfotxt.net, postertog.de, and www.maiklibis, and then attempts to kill processes that are used for obtaining security updates and updating anti-virus software such as aupdate.exe, autodown.exe, avltmain.exe, drwebupw.exe, icssuppnt.exe, luall.exe, nupgrade.exe and outpost.exe. Next, Beagle.I attempts to find files on hard drives with extensions such as .html, .sht, .nch, and .ods to try to find email addresses. To spread in peer-to-peer file-sharing networks such as KaZaA, eDonkey, and BearShare, Beagle.I writes itself into folders in which the string "shar" is in their names. It then creates an SMTP engine that includes custom MIME-encoding to create and send messages with infected attachments to addresses it has gleaned.

If your system is infected with the Beagle.I worm, go to here for recovery instructions.

<<Back to Virus Archive home

Beagle.J

The Beagle.J (W32Beagle.J@mm or Win32.Bagle.J) worm is still another mutation of the Beagle mass mailing worm that attacks Windows systems. It arrives as a message with a subject that indicates there is some kind of trouble with the user’s email account, such as “E-mail account disabling warning.” The indicated sender’s address is falsified; it can be “staff,” “support,” “owner,” “administration” (or “administrator”), “management,” or “noreply,” followed by the recipient’s domain (e.g., lbl.gov). Beagle.J might, for instance, send out messages with a sender name of “staff@lbl.gov.” Each message starts with “Dear user” or “Hello user.” The message body ensues, after which there is an additional line informing the recipient to see an attached file (e.g., “For more information see the attached file.”), followed by a farewell and the name of the team that has ostensibly sent the message. Attachments have an extension of .zip or .pdf. If the attachment is zipped, the message will include an additional line informing the recipient that the file is password-protected and that a password that is provided in the message will open the file.

The following is a copy of a Beagle.J-generated message actually received by a Lab user:

Hello user of Lbl.gov e-mail server,

Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service.

Please, read the attach for further details.

For security reasons attached file is password protected. The password is "82818".

Best wishes,
The Lbl.gov team

Note that the actual message content differs from one message to another.

Whenever anyone opens the attachment, Beagle.J writes itself to %systemroot%\irun4.exe in the infected system. Next, Beagle.J ensures that it will execute each time the infected system starts. It changes the

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key

by adding the following value:

"ssate.exe"="%systemroot%\irun4.exe"

Next, Beagle.J creates remote backdoor access on TCP port 2745 so that the worm author can access the infected system by sending certain input. This worm also sends HTTP GET requests to www.maiklibis, www.gfotxt.net, and postertog.de, and then attempts to halt processes that are used for retrieving security updates and updating anti-virus software such as autoupdate.exe and update.exe. Beagle.J then attempts to find files on hard drives with extensions such as .htm, .eml, .asp, and .tbb to find address books that contain email addresses. To spread across peer-to-peer file-sharing networks such as Kazaa, BitTorrent, and eMule, Beagle.J copies itself into folders with the string "shar" in their names. It then creates an SMTP engine with custom MIME-encoding to transmit messages with attachments containing the worm executable to addresses it has discovered in any address book.

If your Windows system becomes infected with Beagle.J worm, go here for recovery procedures.

<<Back to Virus Archive home

Beagle.K

The Beagle.K (W32Beagle.K@mm or Win32.Bagle.K) worm is yet another variant of the Beagle mass mailing worm that attacks Windows systems. It arrives as a message with a subject that indicates there is some kind of trouble with the user’s email account, such as “E-mail account disabling warning.” The indicated sender’s address is falsified; it can be “staff,” “support,” “owner,” “administration” (or “administrator”), “management,” or “noreply,” followed by the recipient’s domain (e.g., lbl.gov). For example, Beagle.K might send messages appearing to come from management@lbl.gov. The body of each message starts with “Dear user” or “Hello user.” The message body follows, after which an additional line that tells the recipient to see an attached file (e.g., “Further details can be obtained from attached file”) appears, followed by a farewell salutation and the name of the team that has allegedly sent the message. If the attachment is zipped, the message will include an additional line stating that the file is password-protected and that a password that is provided in the message will open the file.

The following is a copy of a Beagle.K-generated message actually received by a Lab user:

Hello user of Lbl.gov e-mail server,

Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service.

Please, read the attach for further details.

For security reasons attached file is password protected. The password is "82818".

Best wishes,
The Lbl.gov team

(IMPORTANT NOTE: message content varies—you may receive one of several different versions of messages of this nature.)

When a user opens the attachment, Beagle.K copies itself to %systemroot%\winsys.exe, %systemroot%\winsys.exeopen or %systemroot%\winsys.exeopenopen in the infected system. This worm then ensures that it will start with every boot by modifying the

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key

by adding the following value:

"ssate.exe"="%systemroot%\winsys.exe"

Next Beagle.J sets up backdoor access via TCP port 2745 so that the worm author can gain remote control of the infected system by sending specially formulated input. Additionally, this worm sends HTTP GET requests to www.gfotxt.net, postertog.de, and www.maiklibis and then attempts to kill processes that are used for obtaining security updates and updating anti-virus software such as autoupdate.exe and update.exe. Next Beagle.J attempts to find files on hard drives with extensions such as .wab, .adb, .sfg, and .mdx in an attempt to locate address books that may contain email addresses. To spread across peer-to-peer file-sharing networks such as Gnutella, eDonkey, and Kazaa, Beagle.J copies itself into folders that contain the string "shar" in their names. It then creates an SMTP engine (complete with custom MIME-encoding) to spew messages with infected attachments to addresses it has found in the address book.

If your system is infected with Beagle.K worm, go here for recovery procedures.

<<Back to Virus Archive home

Beagle.W

The Beagle.W (sometimes also known as Bagle.z) worm is another Beagle mutant that attempts to infect Windows systems (Windows 9X, Me, NT, W2K, XP, and WS2003) by tricking naive users into opening infected attachments. It arrives in messages from falsified addresses consisting of specific user names followed by the domain of the recipient's email address, using subjects such as “I like you," "Hello!," "I'm a sad girl," "Incoming message," "Re. Thank you!", and "Re. Yahoo!". Each message consists of two parts, the first of which begins with "Hello," "Dear," "Hi," or "Hey," and contains two attachments, one of them a .JPEG picture of a young woman, the other a copy of this worm itself with an extension such as COM, CPL, EXE, HTA, SCR, or VBS.

When a user of a system without updated anti-virus software opens an attachment in a message sent by this worm, Beagle.W first creates a mutex that prevents multiple copies of itself from running simultaneously. It then infects the system by copying itself to the system folder (%systemroot%) as Drvsys.exe, Drvsys.exeopen, or Drvsys.exeopenopen. To ensure that it will start whenever the infected system boots, it adds the value, "drvsys.exe" = "%System%\drvsys.exe" to the following Registry key:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

This worm erases several Registry entries that Netsky mutants as well as other normal applications use to start running. After January 25, 2005, Beagle.W will also delete a particular Registry key and value in an apparent attempt to uninstall itself. Additionally, Beagle.W looks for email addresses in files having certain extensions and inserts copies of itself using special file names in folders that have "shar" in their names in an attempt to also spread itself via sharing mechanisms. It tries to terminate numerous processes, including several that run in connection with anti-virus and security programs. It also runs a process that listens for input to port 2535 to allow the worm author remote access to infected systems. This worm also attempts to visit several different Web sites.

What to Do If Your System Becomes Infected

If your system becomes infected with Beagle.W, you should follow these procedures:

1. In Windows Me and XP systems, turn off System Restore.
2. Update the your system's anti-virus software.
3. Restart your system in VGA or Safe mode.
4. Have your system's anti-virus software perform a full system scan, erasing every infected file.
5. Undo the Registry changes.

Beagle.X

The Beagle.X (W32/Bagle.aa@MM or Worm.Bagle.z) worm is yet another variant in what is now a long line of Beagle family worms that target Windows systems (Windows 9X, Me, NT, W2K, XP, and WS2003). This worm arrives in messages from spoofed addresses that it collects from address book files and other files it finds in systems it has infected with subjects such as “changes,” “FAX Message Received, “Incoming Message,” “Protected message,” “RE: Document,” and “Re: Yahoo!” The body of each message is also variable. If the attachment is a .zip file, message bodies include “Attached file is protected with the password for security reasons,” “Archive password,” “For security purposes the attached file is password protected. Password --,” and “In order to read the attachment you have to use the following password:”. If the attachment is not a .zip file, there is no message body. Attachment names are also variable; examples include “Counter_strike,” “Details,” “Document,” “Half_Live,” “Information,” “Loves money,” “text_document,” and “Your money.”

When a user of a system that does not have properly updated anti-virus software opens an attachment in a message generated by this worm, Beagle.X infects the system by copying itself to the system folder as drvddll.exe. It displays a message box containing the following text:

Can't find a viewer associated with the file.

and then creates seven mutexes to keep other copies of Beagle as well as certain variants of the Netsky worm from running. It also creates numerous other files in the infected computer’s system folder:

• drvddll.exeopen—a copy of the worm filled with random data
  
  
• drvddll.exeopenopen with a variable final extension —.cpl, .hta, .vbs, and .zip (for example, drvddll.exeopenopen.zip). If the file has a .cpl extension and it is run, it puts a file, cplstub.exe, into the system folder. If the file has a .hta extension and it is run, it puts a file, qwrk.exe, into the system folder. If the file has a .vbs extension and it is run, it puts a file, vss_2.exe, into the current folder. If the file has a .zip extension, it contains two randomly named files, an .exe file and a text file with a .dat, .dll, .idx, .sys, .vid, or .vxd extension.
  
  
• drvddll.exeopenopenopen with a variable final extension—.jpg or .gif if a file, gdiplus.dll, is present on the victim system, or if not, a .bmp extension.
  
  
• drvddll.exeopenopenopenopen, a text file with six random characters

Beagle.X also makes numerous Registry changes. To ensure that it starts every time the infected system boots, it adds the value "Drvddll_exe"="%system%\drvddll.exe" to the following Registry keys:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

If the system date is after January 25, 2005, however, Beagle deletes itself from the infected system’s memory and removes the Registry values it has just added. Additionally, it deletes the following key:

HKEY_CURRENT_USER\SOFTWARE\Time

and removes certain strings, such as “9XhtProtect,” “Antivirus,” “My AV,” “Tiny AV,” “SkynetsRevenge,” and others from:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Beagle.X activates TCP port 2535 to set up backdoor entry by attackers and then looks for fixed drives on the victim. It then tries to copy itself into every folder with “shar” in its name. It assigns copies of itself a wide variety of names, including “ACDSee 9.exe.” “Ahead Nero 7.exe,” “Kaspersky Antivirus 5.0,” “Serials,txt.exe,” and “XXX hardcore images.exe.” It reads files (including address book files) to glean addresses and then sets up an SMTP engine that spews messages using addresses it has found as recipient (to) and sender (from) addresses. Next Beagle.X tries to reach a .php script in a number of remote Web sites, all of which have URLs that end in .de (for Germany). Finally, this worm tries to kill processes that have any of a large number of names, including “ANTI-TROJAN.EXE,” “AUTOUPDATE.EXE,” “BLACKICE.EXE,” “CLEANPC.EXE,” “FIREWALL.EXE,” “ICMON.EXE,” “MCUPDATE.EXE,” “NAV32.EXE,” “VSSTAT.EXE,” and “W9X.EXE.”

How to Recover If Your System Becomes Infected

To recover, Symantec recommends that you:

• Disable System Restore in Windows Me and XP.
• Update your system’s virus definitions.
• Restart your system in Safe or VGA mode.
• Run a complete system scan and delete any files that are copies of this worm.
• Correct any Registry changes that Beagle.X has made.

A recovery tool is available here. Running this tool, however, will not completely reverse all of the many changes that Beagle.X makes in systems that it infects.