Berkeley Lab Computer Protection Program: Resources

Emergencies | Site Index | Contact Us


	CPP Home

	Contacts

	Scan Information

	Policy Guidelines

	System Procedures

	Tools & Services

	ALERTS

	Recent CPP Actions

	News & Articles

	CPP Intranet

ALERTS

Viruses

Beagle.AV Other Beagle Variants >>
_____________

The Beagle.AV (W32.Beagle.AV@mm or Bagle.AV) worm is a mass-mailing worm that arrives as a message from a fake email address gleaned from address books in systems it infects. The subject is: "Re:," "Re: Hello," "Re: Hi," "Re: Thank you!" or "Re: Thanks :)"; the text in the message body reads ":))." The name of the attachment is "Price," "price," or "joke"; the extension is .exe, .com, .cpl, or .scr. If the attachment is opened, Beagle.AV copies itself into the Windows system folder %systemroot%, which is usually the Windows folder in newer Windows systems such as Windows XP, as wingo.exe; wingo.exeopen; or wingo, exeopenopen. To ensure that it starts every time the infected system boots, Beagle.AV also adds a Registry value,

"wingo" = "%System%\wingo.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

It also adds the a Registry value, "Timekey" = "<random_variables>" to

HKEY_CURRENT_USER\Software\Microsoft\Params

Beagle.AV attempts to delete executables such as mcagent.exe, mcshield.exe, navapsvc.exe, and DefWatch.exe used by antivirus and other types of security-related software. It then attempts to download an executable file from a Web site by going to one URL and then another within a long list of URLs until it downloads the file to %systemfoot%\re_file.exe. If successful in downloading the file, it executes it. Beagle.AV tries to find folders that have "shar" in their name; if successful in doing so, it writes a copy of itself to them, naming the copy with one of a large number of names (e.g., Adobe Photoshop 9 full.exe, KAV 5.0, Microsoft Office 2003 Crack, XXX hardcore images.exe, Working!.exe, Opera 8 New!.exe, Porno Screensave.scr, ACDSee 9.exe, and others). It also creates a backdoor on TCP port 81 and deletes values containing strings such as My AV, Antivirus, FirewallSvr, Htprotect, KasperskyAVEng, Norton Antivirus AV, and EasyAV from:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Beagle.AV creates a simple mail transfer protocol (SMTP) engine that sends volumes of mail to email addresses that it locates in files that contain email addresses (such as files with extensions of .stm, .shtm, .htm, .dbx, .eml, .abd, .oft, .jsp, and .dhtm) in the victim system.

Go here for Beagle.AV cleanup procedures.