Beagle.AH                       Other Beagle Variants >>
_____________

Say "no thanks" to emails with subject lines such as, "Thank you!" or "Thanks :)" when those emails also carry attachments. The attachment, which could have a .com, .cpl, .exe, .hta, .scr, .vbs, or .zip file extension, might contain Beagle.AH, a mass-mailing worm that infects Windows systems.

AKA: Also known as the Bagle Worm: WORM_BAGLE.AH, W32/Bagle.AH@MM, W32.Beagle.X@mm

The worm evades detection because each attachment is encrypted using a different password; thus it is virtually impossible to discover a pattern. If successful in infecting a system, Beagle.AH sets up a backdoor to allow attackers to remotely access the system. When active in memory, the worm re-creates its startup key every 100 milliseconds to keep it active in the infected system. It also reads all the email addresses stored on the system and sends copies of itself to those addresses (the unfortunate recipients will think the email is coming from you).

Never open any attachment that you are not expecting, even if it appears to come from someone you know, and be sure to update your system's anti-virus software every day. If you have opened the attachment, call ext. 4357 for help.

How It Infects the System

According to Symantec, when Beagle.AH infects your system, it does the following:

1. Displays the message:

"Can't find a viewer associated with the file"

2. Creates seven mutex files that interfere with some other viruses while protecting Beagle.AH. (A mutex is a regulating mechanism that allows only a single copy of a worm or virus to run on a system at any time.)

3. From the registry keys:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   Beagle.AH deletes any values that contain the following strings:
   
   "My AV"
   "Zone Labs Client Ex"
   "9XHtProtect"
   "Antivirus"
   "Special Firewall Service"
   "service"
   "Tiny AV"
   "ICQNet"
   "HtProtect"
   "NetDy"
   "Jammer2nd"
   "FirewallSvr"
   "MsInfo"
   "SysMonXP"
   "EasyAV"
   "PandaAVEngine"
   "Norton Antivirus AV"
   "KasperskyAVEng"
   "SkynetsRevenge"
   "ICQ Net"
   

4. Creates copies of itself under various names in the Windows system directory.

5. Adds the value:

   "key" = "%System%\FUKULAMER.exe"

   to the registry key

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

   so that the worm runs when Windows starts.

6. If the system date is after January 25, 2005, the worm will exit from memory and delete its registry value, as well as the key:

   HKEY_CURRENT_USER\SOFTWARE\base_reg_path
   

7. Opens a backdoor on TCP port 1234, which allows the infected computer to be used as an email relay.

8. It attempts to create copies of itself in any folder that contains the characters "shar." The files will have the following file names:

   • Microsoft Office 2003 Crack, Working!.exe
   • Microsoft Windows XP, WinXP Crack, working Keygen.exe
   • Microsoft Office XP working Crack, Keygen.exe
   • Porno, sex, oral, anal cool, awesome!!.exe
   • Porno Screensaver.scr
   • Serials.txt.exe
   • KAV 5.0
   • Kaspersky Antivirus 5.0
   • Porno pics arhive, xxx.exe
   • Windows Sourcecode update.doc.exe
   • Ahead Nero 7.exe
   • Windown Longhorn Beta Leak.exe
   • Opera 8 New!.exe
   • XXX hardcore images.exe
   • WinAmp 6 New!.exe
   • WinAmp 5 Pro Keygen Crack Update.exe
   • Adobe Photoshop 9 full.exe
   • Matrix 3 Revolution English Subtitles.exe
   • ACDSee 9.exe
   

9. Searches for the email addresses in the files that have the following extensions:
   
   • .wab
   • .txt
   • .msg
   • .htm
   • .shtm
   • .stm
   • .xml
   • .dbx
   • .mbx
   • .mdx
   • .eml
   • .nch
   • .mmf
   • .ods
   • .cfg
   • .asp
   • .php
   • .pl
   • .wsh
   • .adb
   • .tbb
   • .sht
   • .xls
   • .oft
   • .uin
   • .cgi
   • .mht
   • .dhtm
   • .jsp

10. Uses its own SMTP engine to send email messages to any addresses that it finds. The email may have the following characteristics:

    From: <spoofed>

    Subject: (One of the following)
    
    • Re: Msg reply
    • Re: Hello
    • Re: Yahoo!
    • Re: Thank you!
    • Re: Thanks :)
    • RE: Text message
    • Re: Document
    • Incoming message
    • Re: Incoming Message
    • RE: Incoming Msg
    • RE: Message Notify
    • Notification
    • Changes..
    • Update
    • Fax Message
    • Protected message
    • RE: Protected message
    • Forum notify
    • Site changes
    • Re: Hi
    • Encrypted document

    Body: If the attachment is a .zip file, then the body will contain one of the following messages:

    • For security reasons attached file is password protected. The password is
    • For security purposes the attached file is password protected. Password --
    • Note: Use password
    • Attached file is protected with the password for security reasons. Password is
    • In order to read the attach you have to use the following password:
    • Archive password:
    • Password
    • Password: followed by a 5-digit password or a copy of the image file dropped as FUKULAMER.exeopenopenopen.

    If the attachment is not a .zip file, the body will be one of the following:

    • Read the attach.
    • Your file is attached.
    • More info is in attach
    • See attach.
    • Please, have a look at the attached file.
    • Your document is attached.
    • Please, read the document.
    • Attach tells everything.
    • Attached file tells everything.
    • Check attached file for details.
    • Check attached file.
    • Pay attention at the attach.
    • See the attached file for details.
    • Message is in attach
    • Here is the file.
    
    Attachment: (One of the following)
    
    • Information
    • Details
    • text_document
    • Updates
    • Readme
    • Document
    • Info
    • MoreInfo
    • Message
    
    Attachment extension: (One of the following)
    
    • .hta
    • .vbs
    • .exe
    • .scr
    • .com
    • .cpl
    • .zip
    

The Damage

Large-scale emailing. Beagle.AG will access a local address book and send emails to a the people within that particular address book. It will also locate email addresses in documents and other types of files.

Performance degradation. This large amount of emailing slows computer operations, and could allocate available memory, creating files that consume disk space, or causing programs to load or execute more slowly. Clogs email servers as it spreads.

Compromises security settings. This worm can terminate processes associated with various security-related programs. It can also allows unauthorized remote access to a compromised host, and can possibly download trojans from the Internet.

How to Recover

Manual Removal

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode or VGA mode.
4. Run a full system scan and delete all the files detected as W32.Beagle.AH@mm.
5. Delete the value that was added to the registry.

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

Preventing Infections

Update your system's anti-virus software daily. Go here for procedures on updating anti-virus software. Refrain from opening links on unfamiliar email or emails you are not expecting.

More Info

For more information on removal, see Symantec’s Beagle.AH web page.