Berkeley Lab Computer Protection Program: Alerts: Viruses: Beagle.AZ Worm

Emergencies | Site Index | Contact Us


	CPP Home

	Contacts

	Scan Information

	Policy Guidelines

	System Procedures

	Tools & Services

	ALERTS

	Recent CPP Actions

	News & Articles

	CPP Intranet

ALERTS

Viruses

Beagle.AZ Other Beagle Variants >>
_____________

The Beagle.AZ (W32/Bagle-BK, W32/Bagle.AY@MM or Worm.Bagle.AU) worm is still another mutant among the many in the Beagle family worms that are programmed to infect Windows systems (Windows 9X, Me, NT, W2K, XP and WS2003). This worm embeds itself in messages from falsified addresses that it gleans from address books and other files that it discovers in machines it has infected. Subjects include “Delivery service mail,” “Is delivered mail, “You are made active,” “Registration is accepted.” The message body is “ Before use read the help” or “ Thanks for use of our software. ” The name of the attachment is “guupd02,” “Jol03,” “siupd02,” “upd02,” “viupd02,” “wsd01,” or “zupd02.” Attachment extensions are .com, .cpl, .exe, or .scr.

When a user of a system that does not have updated anti-virus software opens an attachment in a message generated by this worm, Beagle.AZ infects the system by copying itself to the system folder (termed here as “%Systemroot%”) as sysformat.exe, sysformat.exeopen, and sysformat.exeopenopen.

Beagle.AZ also changes certain Registry values. It deletes the values "My AV" and "ICQ Net” from the following Registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To ensure that it starts every time the infected system boots, this worm also adds the following value:

"sysformat" = "%Systemroot%\sysformat.exe"

to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

and the value:

“riga” = “<some binary_value>”

to:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Params

Beagle.AZ looks for and attempts to kill a large number of processes that may be running, including AUPDATE.EXE, AVENGINE.EXE, FIREWALL.EXE. MCSHIELD.EXE, NAVAPW32.EXE, UPDATE.EXE, and many others. It also searches the hard disk for folders that contain the string "shar" in their name, and then writes itself to them using one of a large number of file names. It records addresses from a variety of files that may contain email addresses and then sets up a mail engine that it uses to send a flood of infected messages, although it avoids sending messages to certain addresses. Additionally, Beagle.AZ attempts to download a file from a large number of domains; if successful in doing so, it saves it as %Systemroot%\re_file.exe:.

How to Recover if Your System Becomes Infected

To recover, Symantec recommends that you:

Disable System Restore in Windows Me and XP
Update your system’s virus definitions
Restart your system in Safe or VGA mode.
Run a complete system scan and delete any files that are copies of this worm
Correct any Registry changes that Beagle.AZ has made

A recovery tool is available here. Running this tool, however, will not completely reverse all of the many changes that Beagle.AZ makes in systems that it infects.