Computer Protection Program Berkeley Lab
Computer Protection Program at Berkeley Lab Security
Ernest Orlando Lawrence Berkeley National Laboratory
Emergencies | Site Index | Contact Us
CPP Home
Contacts
Scan Information
Policy Guidelines
System Procedures
Tools & Services
ALERTS 
Recent CPP Actions
News & Articles
CPP Intranet
  ALERTS  
Viruses  

Beagle.AU                       Other Beagle Variants >>
_____________

The Beagle.AU (W32.Beagle.AU@mm or Bagle.AU) worm is a mass-mailing worm that arrives as a message from a spoofed email address. The subject is: "Re:," "Re: Hello," "Re: Hi," "Re: Thank you!," or "Re: Thanks :)." The text in the message body reads ":))." The name of the attachment is ""Price," "price," or "joke," and the extension is .exe, .com, .cpl, or .scr. If the attachment is opened, Beagle.AU copies itself into the Windows system as bawindo.exe, bawindo.exeopen, or bawindo, exeopenopen. To ensure that it starts every time the infected system boots, Beagle.AU also adds a Registry value,

"bawindo" = "%System%\bawindo.exe,"

to

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

This worm creates seven mutexes to keep each infected system from being infected by the NetSky worm. It then attempts to download an executable file from a Web site by going to one URL after another until it downloads the file. If it successfully downloads the file, it executes it. Beagle.AU attempts to delete antivirus and other security-related software, and to kill processes such as mcagent.exe, mcshield.exe, navapsvc.exe, and DefWatch.exe that this type of software starts. Beagle.AU tries to find folders that have "shar" in their names; if successful in doing so, it writes a copy of itself to them, assigning one of a large number of names (e.g., Adobe Photoshop 9 full.exe, KAV 5.0, Microsoft Office 2003 Crack, Working!.exe, Opera 8 New!.exe, Porno Screensave.scr, and others). It also creates a backdoor on TCP port 81 and also on a random UDP port and deletes values with strings such as Antivirus, FirewallSvr, Htprotect, KasperskyAVEng, and Norton Antivirus AV from

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Beagle.AU creates a mail engine that spews mail to addresses it finds in files containing addresses (such as files with extensions of .htm, .dbx, .eml, .abd, and .jsp) within the infected system.

Go here to learn how to eradicate a Beagle.AU infection.

 

Home | Contacts | Policy Guidelines | System Procedures | Tools & Services | ALERTS | News & Articles