Beagle.AQ                       Other Beagle Variants >>
_____________

The Beagle.AQ worm typically arrives in your email with "foto" in the subject line. The "FOTO.ZIP" file attached to the email is a mass-mailing worm that infects Windows systems. If opened, the zip file downloads the actual worm.

AKA: Also known as the Bagle or Glieder virus: Bagle.AK, Glieder.H, W32.Beagle.AQ@mm

When the attachment is opened, Beagle.AQ sets up a backdoor to allow attackers to remotely access the system. It hides itself from firewall and antivirus software that has not been updated. It also reads all the email addresses stored on the system and sends copies of itself to those addresses (the unfortunate recipients will think the email is coming from you).

How It Infects the System

According to Symantec, when Beagle.AQ infects your system, it does the following:

1. Copies itself as the following files:

%System%\windll.exe. (A copy of the worm)
%System%\windll.exeopen (A copy of the worm)
%System%\windll.exeopenopen (A copy of the worm)

Note: %System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Adds a value:

"erthgdr"="%System%\windll.exe"

to the registry keys:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

3. Creates seven mutex files that interfere with some other viruses while protecting Beagle.AQ. (A mutex is a regulating mechanism that allows only a single copy of a worm or virus to run on a system at any time.)

4. Beagle.AQ tries to hide itself from security software that hasn't been updated by deleting any values that contain the following strings:

from the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

5. Copies these files into any shared folders:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

7. The following Windows processes are terminated:

5. Attempts to download and execute files as %Windir%\~.exe from a number of web sites.

Note: %Windir% is a variable. The Trojan locates the Windows installation folder and saves the downloaded files to that location. By default, this is C:\Windows or C:\Winnt.

6. Creates seven mutex files that interfere with some other viruses while protecting Beagle.AH. (A mutex is a regulating mechanism that allows only a single copy of a worm or virus to run on a system at any time.)

7. Creates the following files:

%System%\windll.exe.
%System%\windll.exeopen (A copy of the worm with randomly appended data.)
%System%\windll.exeopenopen (A copy of the worm with randomly appended data.)
%System%\re_file.exe

8. Locates any email addresses stored on the local system.

9. Uses its own SMTP engine to send email messages to any addresses that it found.

10. Creates the following files:

%System%\Doriot.exe (A copy of foto1.exe)
%System%\Gdqfw.exe (A downloader module)

11. Adds the value:

"wersds" = "%System%\doriot.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm will run automatically when you start Windows.

12. Opens backdoors on TCP port 80 and UDP port 80, which allow the infected computer to be used as an email relay.

The Damage

Large-scale emailing. Beagle.AQ will access a local address book and send emails to the people within that address book. It will also locate email addresses in documents and other types of files.

Performance degradation. This large amount of emailing slows computer operations, and could allocate available memory, creating files that consume disk space, or causing programs to load or execute more slowly. Clogs email servers as it spreads.

Compromises security settings. This worm can terminate processes associated with various security-related programs, such as virus scanners and firewalls. It can also allow unauthorized remote access to a compromised host, and can download trojans from the Internet.

How to Recover

Manual Removal

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode or VGA mode.
4. Run a full system scan and delete all the files detected as W32.Beagle.AQ@mm.
5. Delete the value that was added to the registry.

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

Preventing Infections

Update your system's antivirus software daily. Go here for procedures on updating antivirus software. Refrain from opening links on unfamiliar email or emails you are not expecting.

Never open any attachment that you are not expecting, even if it appears to come from someone you know. If you have opened the attachment, call ext. 4357 for help.

More Information

For more information on this worm and its removal, see Symantec's Beagle.AO web page.