Computer Protection Program Berkeley Lab
Computer Protection Program at Berkeley Lab Security
Ernest Orlando Lawrence Berkeley National Laboratory
Emergencies | Site Index | Contact Us
CPP Home
Contacts
Scan Information
Policy Guidelines
System Procedures
Tools & Services
ALERTS 
Recent CPP Actions
News & Articles
CPP Intranet
  ALERTS  
Viruses  

Beagle.AG                       Other Beagle Variants >>
_____________

If you receive a message with a subject such as "foto3 and MP3," "fotogalary,” and Music," "fotoinfo," "Lovely animals," "Predators," or "The Snake," don't open the attachment! The subject line, body, and the encrypted attachment name of the email vary. The attachment (which will have a .com, .cpl, .exe, .scr, or .zip extension) contains Beagle.AG, a Windows worm that is infecting systems at an alarming rate.

AKA: Also known as the Bagle Worm: WORM_BAGLE.AH, W32/Bagle.ai@MM, W32/Bagle-AI, Win32.Bagle.AI

The worm evades detection because each attachment is encrypted using a different password; thus it is virtually impossible to discover a pattern. If successful in infecting a system, Beagle.AG sets up a backdoor to allow attackers to remotely access the system.

Never open any attachment that you are not expecting, even if it appears to come from someone you know, and be sure to update your system's anti-virus software every day. If you have opened the attachment, call ext. 4357 for help.

How It Infects the System

According to Symantec, when Beagle.AG infects your system, it does the following:

  1. From the registry keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Beagle.AG deletes any values that contain the following strings:

• 9XHtProtect
• Antivirus
• EasyAV
• FirewallSvr
• HtProtect
• ICQ Net
• ICQNet
• Jammer2nd
• KasperskyAVEng
• MsInfo
• My AV
• NetDy
• Norton Antivirus AV
• PandaAVEngine service
• SkynetsRevenge
• Special Firewall Service
• SysMonXP
• Tiny AV
• Zone Labs Client Ex

  1. It locates the system folder and copies itself to that location by creating the following files (note: %System% is a variable):

%System%\winxp.exe
%System%\winxp.exeopen
%System%\winxp.exeopenopen
%System%\winxp.exeopenopenopen
%System%\winxp.exeopenopenopenopen.

(For Windows 95/98/Me, the system folder is: C:\Windows\System. For Windows NT/2000, the system folder is C:\Winnt\System32. For Windows XP, the system folder is C:\Windows\System32).

  1. Through a series of steps, the worm locates and copies itself to the installation folder (C:\Windows or C:\Winnt).
  2. Next, it adds the value

    "key" = "%System%\winxp.exe"

    to the registry key

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when Windows starts.

  3. It opens a backdoor on TCP port 1080, which allows the infected computer to be used as an email relay.
  4. It attempts to create copies of itself in any folder that contains the characters "shar." The files will have the following file names:

    • ACDSee 9.exe
    • Adobe Photoshop 9 full.exe
    • Ahead Nero 7.exe
    • Kaspersky Antivirus 5.0
    • KAV 5.0
    • Matrix 3 Revolution English Subtitles.exe
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Opera 8 New!.exe
    • Porno pics arhive, xxx.exe
    • Porno Screensaver.scr
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Serials.txt.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • WinAmp 6 New!.exe
    • Windown Longhorn Beta Leak.exe
    • Windows Sourcecode update.doc.exe
    • XXX hardcore images.exe

  5. It searches for email addresses, then uses its own SMTP engine to send email messages to any addresses it finds.

The Damage

Large-scale emailing. Beagle.AG will access a local address book and send emails to a the people within that particular address book.

Performance degradation. This large amount of emailing slows computer operations, and could allocate available memory, creating files that consume disk space, or causing programs to load or execute more slowly. Spreads, clogs email servers.

Compromises security settings. This worm can terminate processes associated with various security-related programs. It can also allows unauthorized remote access to a compromised host, and can possibly download trojans from the Internet.

How to Recover

Removal Tool

If you find you are infected, download the removal tool at http://isolate/beagle_AG.htm and follow the instructions.

Manual Removal

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Restart the computer in Safe mode or VGA mode.
  4. Run a full system scan and delete all the files detected as W32.Beagle.AG@mm.
  5. Delete the value that was added to the registry.

Preventing Infections

Update your system's anti-virus software daily. Go here for procedures on updating anti-virus software. Refrain from opening links on unfamiliar email or emails you are not expecting.

More Info

For more information on removal, see Symantec’s Beagle.AG web page.

 

Home | Contacts | Policy Guidelines | System Procedures | Tools & Services | ALERTS | News & Articles