Computer Protection Program Berkeley Lab
Computer Protection Program at Berkeley Lab Security
Ernest Orlando Lawrence Berkeley National Laboratory
Emergencies | Site Index | Contact Us
CPP Home
Contacts
Scan Information
Policy Guidelines
System Procedures
Tools & Services
ALERTS 
Recent CPP Actions
News & Articles
CPP Intranet
  ALERTS  
Viruses  

Beagle.AD                       Other Beagle Variants >>
_____________

Say "no thanks" to emails with subject lines such as, "Thank you!" or "Thanks :)" when those emails also carry attachments. The attachment, which could have a .com, .cpl, .exe, .hta, .scr, .vbs, or .zip file extension, might contain Beagle.AD, a mass-mailing worm that infects Windows systems.

AKA: Also known as W32.Beagle.Y@mm, W32.Beagle.X@mm, WORM_BAGLE.AD [Trend], the Bagle Worm, W32/Bagle.ad@mm [McAfee],

The worm evades detection because each attachment is encrypted using a different password; thus it is virtually impossible to discover a pattern. If successful in infecting a system, Beagle.AD sets up a backdoor to allow attackers to remotely access the system. When active in memory, the worm re-creates its startup key every 100 milliseconds to keep it active in the infected system. It also reads all the email addresses stored on the system and sends copies of itself to those addresses (the unfortunate recipients will think the email is coming from you).

Never open any attachment that you are not expecting, even if it appears to come from someone you know, and be sure to update your system's anti-virus software every day. If you have opened the attachment, call ext. 4357 for help.

How It Infects the System

According to Symantec, when Beagle.AD infects your system, it does the following:

  1. Displays the message:

"Can't find a viewer associated with the file"

  1. Creates seven mutex files that interfere with some other viruses while protecting Beagle.AD. (A mutex is a regulating mechanism that allows only a single copy of a worm or virus to run on a system at any time.)
  1. From the registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Beagle.AD deletes any values that contain the following strings:

    "My AV"
    "Zone Labs Client Ex"
    "9XHtProtect"
    "Antivirus"
    "Special Firewall Service"
    "service"
    "Tiny AV"
    "ICQNet"
    "HtProtect"
    "NetDy"
    "Jammer2nd"
    "FirewallSvr"
    "MsInfo"
    "SysMonXP"
    "EasyAV"
    "PandaAVEngine"
    "Norton Antivirus AV"
    "KasperskyAVEng"
    "SkynetsRevenge"
    "ICQ Net"

  2. Creates copies of itself under various names in the Windows system directory.

  3. Adds the value:

    "key" = "%System%\loader_name.exe"

    to the registry key

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when Windows starts.

  4. Opens a backdoor on TCP port 1234, which allows the infected computer to be used as an email relay.
  5. It attempts to create copies of itself in any folder that contains the characters "shar." The files will have the following file names:

    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe

  6. Searches for the email addresses in the files that have the following extensions:

    • .wab
    • .txt
    • .msg
    • .htm
    • .shtm
    • .stm
    • .xml
    • .dbx
    • .mbx
    • .mdx
    • .eml
    • .nch
    • .mmf
    • .ods
    • .cfg
    • .asp
    • .php
    • .pl
    • .wsh
    • .adb
    • .tbb
    • .sht
    • .xls
    • .oft
    • .uin
    • .cgi
    • .mht
    • .dhtm
    • .jsp

  7. Uses its own SMTP engine to send email messages to any addresses that it finds. The email may have the following characteristics:

    From: <spoofed>

    Subject: (One of the following)

    • Re: Msg reply
    • Re: Hello
    • Re: Yahoo!
    • Re: Thank you!
    • Re: Thanks :)
    • RE: Text message
    • Re: Document
    • Incoming message
    • Re: Incoming Message
    • RE: Incoming Msg
    • RE: Message Notify
    • Notification
    • Changes..
    • Update
    • Fax Message
    • Protected message
    • RE: Protected message
    • Forum notify
    • Site changes
    • Re: Hi
    • Encrypted document

    Body: (One of the following)

    • Attach tells everything.
    • Attached file tells everything.
    • Check attached file for details.
    • Check attached file.
    • Here is the file.
    • Message is in attach
    • More info is in attach
    • Pay attention at the attach.
    • Please, have a look at the attached file.
    • Please, read the document.
    • Read the attach.
    • See attach.
    • See the attached file for details.
    • Your document is attached.
    • Your file is attached.


    Attachment: (One of the following)

    • Information
    • Details
    • text_document
    • Updates
    • Readme
    • Document
    • Info
    • MoreInfo
    • Message

    Attachment extension:     (One of the following)

    • .hta
    • .vbs
    • .exe
    • .scr
    • .com
    • .cpl
    • .zip

The Damage

Large-scale emailing. Beagle.AG will access a local address book and send emails to a the people within that particular address book. It will also locate email addresses in documents and other types of files.

Performance degradation. This large amount of emailing slows computer operations, and could allocate available memory, creating files that consume disk space, or causing programs to load or execute more slowly. Clogs email servers as it spreads.

Compromises security settings. This worm can terminate processes associated with various security-related programs. It can also allows unauthorized remote access to a compromised host, and can possibly download trojans from the Internet.

How to Recover

Removal using the W32.Beagle@mm Removal Tool

Symantec Security Response has developed a removal tool to clean the infections of W32.Beagle.Y@mm. Use this removal tool first, as it is the easiest way to remove this threat.

Manual Removal

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Restart the computer in Safe mode or VGA mode.
  4. Run a full system scan and delete all the files detected as W32.Beagle.Y@mm.
  5. Delete the value that was added to the registry.

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

Preventing Infections

Update your system's anti-virus software daily. Go here for procedures on updating anti-virus software. Refrain from opening links on unfamiliar email or emails you are not expecting.

More Info

For more information on removal, see Symantec’s Beagle.AD web page.

 
 

Home | Contacts | Policy Guidelines | System Procedures | Tools & Services | ALERTS | News & Articles