|
Added to Dr.Web virus base January 19, 2004, at 11:13:04 MSK - hot add-on Aliases: I-Worm.Bagle, W32.Beagle.A@mm, W32/Bagle-A, W32/Bagle.A@mm, WORM_BAGLE.A Virus type:
File names used by the virus:
Affected platforms: Windows 95/98/Me/NT/2000/XP Infection signs:
presence of file BBEAGLE.EXE in the System folder
presence of keys in the system registry:
-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"d3update.exe" = "%SysDir%\BBEAGLE.EXE"
- HKEY_CURRENT_USER\Software\Windows98
"frun"
- HKEY_CURRENT_USER\Software\Windows98
"uid"
Virus description: Win32.HLLM.Beagle.15872 is a rather fast-spreading mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The worm is written in high-level programming language and is packed with . The packed size of the program module of the worm is 15, 872 bytes.
The worm mass propagates via e-mail sending its malicious copies to to all the addresses retrieved from files with .txt., .htm, .html and .wab extensions.
The worm is executed by a user of the affected computer himself.
The worm hides its viral nature under the icon of calculator – the legitimate application of Windows.
When in a system, the worm listens on port 6777 and waits for instructions form a remote user. Besides, it tries to establish connection with several web sites the list of which is kept in the worm’s code.
Virus propagation:
The worm disseminates via e-mail using its own SMTP engine. It harvests addresses for propagation from local Microsoft Windows address book and files with.txt, .htm and .html extensions. The files containing the following strings are excluded from the search:
hotmail.com
msn.com
@microsoft
@avp.
The mail message infected with the worm looks as follows:
Subject: Hi
Message body:
Test =)
[sequence of random characters]
Test, yep.
The attachment name varies but always has the .EXE extension
Attachment size: 15, 872 bytes
System infection:
Being executed, the worm checks the current system date. If the system date exceeds January 28 it immediately terminates. If the system date is prior to January 28, the worm launches calc.exe - a standard Windows application and drops to the Windows\System folder (in Windows 9x/ME it’s C:\Windows\System, in Windows NT/2000 it’s C:\WINNT\System32, in Windows XP it’s
C:\Windows\System32) its copy BBEAGLE.EXE .
To secure its automatic execution at every Windows startup the worm adds the value
"d3update.exe" = "%SysDir%\BBEAGLE.EXE"
to the registry entry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and creates two more registry keys:
-
HKEY_CURRENT_USER\Software\Windows98
"frun"
- HKEY_CURRENT_USER\Software\Windows98
"uid"
When in a system, the worm listens on port 6777 and waits for instructions form a remote user. Besides, it tries to establish connection with several web sites the list of which is kept in the worm’s code.
http://www.elrasshop.de/1.php
http://www.it-msc.de/1.php
http://www.getyourfree.net/1.php
http://www.dmdesign.de/1.php
http://64.176.228.13/1.php
http://www.leonzernitsky.com/1.php
http://216.98.136.248/1.php
http://216.98.134.247/1.php
http://www.cdromca.com/1.php
http://www.kunst-in-templin.de/1.php
http://vipweb.ru/1.php
http://antol-co.ru/1.php
http://www.bags-dostavka.mags.ru/1.php
http://www.5x12.ru/1.php
http://bose-audio.net/1.php
http://www.sttngdata.de/1.php
http://wh9.tu-dresden.de/1.php
http://www.micronuke.net/1.php
http://www.stadthagen.org/1.php
http://www.beasty-cars.de/1.php
http://www.polohexe.de/1.php
http://www.bino88.de/1.php
http://www.grefrathpaenz.de/1.php
http://www.bhamidy.de/1.php
http://www.mystic-vws.de/1.php
http://www.auto-hobby-essen.de/1.php
http://www.polozicke.de/1.php
http://www.twr-music.de/1.php
http://www.sc-erbendorf.de/1.php
http://www.montania.de/1.php
http://www.medi-martin.de/1.php
http://vvcgn.de/1.php
http://www.ballonfoto.com/1.php
http://www.marder-gmbh.de/1.php
http://www.dvd-filme.com/1.php
http://www.smeangol.com/1.php
|
