Dr.Web - innovation IT-security solutions. Complex protection against Internet threats.

Virus library

Knowledge database

Win32.HLLM.Beagle

(PAK_Generic.001, Win32.Bagle.SRD@mm, Trojan-Downloader.Win32.Bagle.ah, TROJ_MITGLIED.AL, I-Worm/Bagle, TR/Drop.Bagle.FU.DLL, TROJ_MITGLIED.AJ, Trojan-Downloader.Win32.Bagle.ae, TR/Vundo.Gen, TR/Bagle.GB, WORM_Bagle.GEN-1, WORM_BAGLE.APB, Worm:Win32/Bagle.gen!encrypted, Downloader.Generic4.ITL, Trojan-Downloader.Win32.Bagle.eo, Trojan.Win32.Agent.gns, Worm.Bagle.HE, TROJ_BAGLE.AM, W32/Bagle, TROJ_BAGLE.BVC, Worm.Win32.Bagle.KD, Downloader.Generic6.AKKW, Trojan-Proxy.Win32.Mitglieder.dz)

Added to Dr.Web virus database: 2006-06-20 18:58:15

Virus Type: Mass mailing worm

Affected OS: Win95/98/Me/NT/2000/XP

Size: can be 69 842 byte, 85 508 byte

Packed by: PECRYPT

Technical Information

Spreads via e-mail. Attachment represents ZIP-archive, which is password protected for complicating its detection by antivirus programs. In order that careless user could extract archive contents, password is indicated in grafical file [random name].gif.

During its own startup registers itself in autorun section in registry.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"drv_st_key" = "%UserProfile%\Application Data\hidn\hidn1.exe"

Bans loading in SafeMode: deletes registry branch
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

During its first run shows "Error" picture.

Attachment name is chosen out of the following list:

Elizabeth
Elizabethe
Anne
Ann
Anna
Anne
Annes
Mary
Marie
Marye
Margaret
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Sara
Dorothy
Dorithie
Dorothee
Jane
Katherine
Katherine
Katheryne
Susanna
Susanna
Suzanna
Francis
Frances
Fraunces
Joane
Judith
Judeth
Judith
Judithe
Alice
Ales
Alice
Alyce
Ellen
Ellen
Ellyn
Grace
Isabell
Isabel
Isabell
Martha
Susan
Winifred
Wynefreed
Wynefrede
Wynnefreede
Avis
Avis
Avice
Bennet
Bennet
Bennett
Christian
Christian
Christean
Constance
Cybil
Sybell
Sybyll
Ester
Rebecka
Rose
Sidney
Sindony
Syndony
John
John
Johen
Thomas
William
Richard
Richarde
Richard
Rycharde
Robert
Roberte
Robert
George
Edward
Edwarde
Edward
Nicholas
Nicholas
Nycholas
Nicholaus
James
Jeames
James
Henry
Henrie
Henry
Henrye
Edmund
Edmonde
Edmond
Edmund
Harry
Harrye
Harry
Anthony
Anthonye
Anthonie
Roger
Peter
Nathaniel
Nathaniell
Nathaniel
Nathanyell
Stephen
Jeffrey
Jeffrye
Geoffraie
Francis
Andrew
Androw
Androwe
Valentyne
Samuell
Ralph
Michael
Michael
Mychaell
Leonard
Leonard
Leonarde
Josias
Humphrey
Humphrey
Humphrie
Hughe
Gabriell
Emanual
Emanuell
Emanuel
Daniel
Daniel
Danyell

Message body contains text:

To the beloved
I love you

Searches for addresses for its further spreading in the files with such extensions:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

Contains rootkit-component (file m_hook.sys; size - 15 360 bytes) for hiding its processes, files and also registry branches. Creates folder hidn with attribute "Hidden" in C:\Documents and Settings\%USERPROFILE%\Application Data\, where locates its direct executable file and rootkit-component.

Worm doesn’t spread its own copies in case if address contains the following substrings:

rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

Worm contains destructive functions: deletes processes, which belong to different computer security systems, and also stops services.

Processes which can be completed and, if possible, deleted from the disk:

a2guard.exe
aavshield.exe
AckWin32.exe
ADVCHK.EXE
AhnSD.exe
airdefense.exe
ALERTSVC.EXE
ALMon.exe
ALOGSERV.EXE
ALsvc.exe
amon.exe
Anti-Trojan.exe
AntiVirScheduler
AntiVirService
ANTS.EXE
APVXDWIN.EXE
Armor2net.exe
ashAvast.exe
ashDisp.exe
ashEnhcd.exe
ashMaiSv.exe
ashPopWz.exe
ashServ.exe
ashSimpl.exe
ashSkPck.exe
ashWebSv.exe
aswUpdSv.exe
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
avciman.exe
Avconsol.exe
AVENGINE.EXE
avgamsvr.exe
avgcc.exe
AVGCC32.EXE
AVGCTRL.EXE
avgemc.exe
avgfwsrv.exe
AVGNT.EXE
avgntdd
avgntmgr
AVGSERV.EXE
AVGUARD.EXE
avgupsvc.exe
avinitnt.exe
AvkServ.exe
AVKService.exe
AVKWCtl.exe
AVP.EXE
AVP32.EXE
avpcc.exe
avpm.exe
AVPUPD.EXE
AVSCHED32.EXE
avsynmgr.exe
AVWUPD32.EXE
AVWUPSRV.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE
BackWeb-4476822.exe
bdmcon.exe
bdnews.exe
bdoesrv.exe
bdss.exe
bdsubmit.exe
bdswitch.exe
blackd.exe
blackice.exe
cafix.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccSetMgr.exe
CFIAUDIT.EXE
ClamTray.exe
ClamWin.exe
Claw95.exe
Claw95cf.exe
cleaner.exe
cleaner3.exe
CliSvc.exe
CMGrdian.exe
cpd.exe
DefWatch.exe
DOORS.EXE
DrVirus.exe
drwadins.exe
drweb32w.exe
drwebscd.exe
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
ewidoctrl.exe
EzAntivirusRegistrationCheck.exe
F-AGNT95.EXE
F-PROT95.EXE
F-Sched.exe
F-StopW.EXE
FAMEH32.EXE
FAST.EXE
FCH32.EXE
FireSvc.exe
FireTray.exe
FIREWALL.EXE
fpavupdm.exe
freshclam.exe
FRW.EXE
fsav32.exe
fsavgui.exe
fsbwsys.exe
fsdfwd.exe
FSGK32.EXE
fsgk32st.exe
fsguiexe.exe
FSM32.EXE
FSMA32.EXE
FSMB32.EXE
fspex.exe
fssm32.exe
gcasDtServ.exe
gcasServ.exe
GIANTAntiSpywareMain.exe
GIANTAntiSpywareUpdater.exe
GUARD.EXE
GUARDGUI.EXE
GuardNT.exe
HRegMon.exe
Hrres.exe
HSockPE.exe
HUpdate.EXE
iamapp.exe
iamserv.exe
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
INETUPD.EXE
InocIT.exe
InoRpc.exe
InoRT.exe
InoTask.exe
InoUpTNG.exe
IOMON98.EXE
isafe.exe
ISATRAY.EXE
ISRV95.EXE
ISSVC.exe
JEDI.EXE
KAV.exe
kavmm.exe
KAVPF.exe
KavPFW.exe
KAVStart.exe
KAVSvc.exe
KAVSvcUI.EXE
KMailMon.EXE
KPfwSvc.EXE
KWatch.EXE
livesrv.exe
LOCKDOWN2000.EXE
LogWatNT.exe
lpfw.exe
LUALL.EXE
LUCOMSERVER.EXE
Luupdate.exe
MCAGENT.EXE
mcmnhdlr.exe
mcregwiz.exe
Mcshield.exe
MCUPDATE.EXE
mcvsshld.exe
MINILOG.EXE
MONITOR.EXE
MonSysNT.exe
MOOLIVE.EXE
MpEng.exe
mpssvc.exe
MSMPSVC.exe
myAgtSvc.exe
myagttry.exe
navapsvc.exe
NAVAPW32.EXE
NavLu32.exe
NAVW32.EXE
NDD32.EXE
NeoWatchLog.exe
NeoWatchTray.exe
NISSERV
NISUM.EXE
NMAIN.EXE
nod32.exe
nod32krn.exe
nod32kui.exe
NORMIST.EXE
notstart.exe
npavtray.exe
NPFMNTOR.EXE
npfmsg.exe
NPROTECT.EXE
NSCHED32.EXE
NSMdtr.exe
NssServ.exe
NssTray.exe
ntrtscan.exe
NTXconfig.exe
NUPGRADE.EXE
NVC95.EXE
Nvcod.exe
Nvcte.exe
Nvcut.exe
NWService.exe
OfcPfwSvc.exe
OUTPOST.EXE
PAV.EXE
PavFires.exe
PavFnSvr.exe
Pavkre.exe
PavProt.exe
pavProxy.exe
pavprsrv.exe
pavsrv51.exe
PAVSS.EXE
pccguide.exe
PCCIOMON.EXE
pccntmon.exe
PCCPFW.exe
PcCtlCom.exe
PCTAV.exe
PERSFW.EXE
pertsk.exe
PERVAC.EXE
PNMSRV.EXE
POP3TRAP.EXE
POPROXY.EXE
prevsrv.exe
PsImSvc.exe
QHM32.EXE
QHONLINE.EXE
QHONSVC.EXE
QHPF.EXE
qhwscsvc.exe
RavMon.exe
RavTimer.exe
Realmon.exe
REALMON95.EXE
Rescue.exe
rfwmain.exe
Rtvscan.exe
RTVSCN95.EXE
RuLaunch.exe
SAVAdminService.exe
SAVMain.exe
savprogress.exe
SAVScan.exe
SCAN32.EXE
ScanningProcess.exe
sched.exe
sdhelp.exe
SERVIC~1.EXE
SHSTAT.EXE
SiteCli.exe
smc.exe
SNDSrvc.exe
SPBBCSvc.exe
SPHINX.EXE
spiderml.exe
spidernt.exe
Spiderui.exe
SpybotSD.exe
SPYXX.EXE
SS3EDIT.EXE
stopsignav.exe
swAgent.exe
swdoctor.exe
SWNETSUP.EXE
symlcsvc.exe
SymProxySvc.exe
SymSPort.exe
SymWSC.exe
SYNMGR.EXE
TAUMON.EXE
TBMon.exe
TC.EXE
tca.exe
TCM.EXE
TDS-3.EXE
TeaTimer.exe
TFAK.EXE
THAV.EXE
THSM.EXE
Tmas.exe
tmlisten.exe
Tmntsrv.exe
TmPfw.exe
tmproxy.exe
TNBUtil.exe
TRJSCAN.EXE
Up2Date.exe
UPDATE.EXE
UpdaterUI.exe
upgrepl.exe
Vba32ECM.exe
Vba32ifs.exe
vba32ldr.exe
Vba32PP3.exe
VBSNTW.exe
vchk.exe
vcrmon.exe
VetTray.exe
VirusKeeper.exe
VPTRAY.EXE
vrfwsvc.exe
VRMONNT.EXE
vrmonsvc.exe
vrrw32.exe
VSECOMR.EXE
Vshwin32.exe
vsmon.exe
vsserv.exe
VsStat.exe
WATCHDOG.EXE
WebProxy.exe
Webscanx.exe
WEBTRAP.EXE
WGFE95.EXE
Winaw32.exe
winroute.exe
winss.exe
winssnotify.exe
WRADMIN.EXE
WRCTRL.EXE
xcommsvr.exe
zatutor.exe
ZAUINST.EXE
zlclient.exe
zonealarm.exe
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE

Services, which are disabled by the worm:

wuauserv
Aavmker4
ABVPN2K
ADBLOCK.DLL
ADFirewall
AFWMCL
Ahnlab
task
Scheduler
alerter
AlertManger
AntiVir
Service
AntiyFirewall
ARP.DLL
aswMon2
aswRdr
aswTdi
aswUpdSv
Ati
HotKey
Poller avast!
Antivirus avast!
Mail Scanner avast!
Web Scanner
AVEService
AVExch32Service
AvFlt
Avg7Alrt
Avg7Core
Avg7RsW
Avg7RsXP
Avg7UpdSvc
AvgCore
AvgFsh
AVGFwSrv
AvgFwSvr
AvgServ
AvgTdi
AVIRAMailService
AVIRAService
avpcc
AVUPDService
AVWUpSrv
AvxIni
awhost32
backweb
client - 4476822
BackWeb Client - 7681197
backweb client-4476822
Bdfndisf
bdftdif
bdss
BlackICE
BsFileSpy
BsFirewall
BsMailProxy
CAISafe
ccEvtMgr
ccPwdSvc
ccSetMgr
ccSetMgr.exe
CONTENT.DLL
DefWatch
DNSCACHE.DLL
drwebnet
dvpapi
dvpinit
ewido
security
suite
control
ewido
security
suite
driver
ewido
security
suite
guard
F-Prot
Antivirus
Update
Monitor
F-Secure
Gatekeeper
Handler
Starter
firewall
fsbwsys
FSDFWD
FSFW
FSMA
FTPFILT.DLL
FwcAgent
fwdrv
Guard NT
HSnSFW
HSnSPro
HTMLFILT.DLL
HTTPFILT.DLL
IMAPFILT.DLL
noRPC
InoRT
InoTask
Ip6Fw
Ip6FwHlp
KAVMonitorService
KAVSvc
KLBLMain
KPfwSvc
KWatch3
KWatchSvc
MAILFILT.DLL
McAfee Firewall
McAfeeFramework
McShield
McTaskManager
mcupdmgr.exe
MCVSRte
Microsoft NetWork FireWall Services
MonSvcNT
MpfService
navapsvc
Ndisuio
NDIS_RD
Network Associates Log Service
nipsvc
NISSERV
NISUM
NNTPFILT.DLL
NOD32ControlCenter
NOD32krn
NOD32Service
Norman
NJeeves
Norman
Type-R
Norman
ZANDA
Norton AntiVirus Server
NPDriver
NPFMntor
NProtectService
NSCTOP
nvcoas
NVCScheduler
nwclntc
nwclntd
nwclnte
nwclntf
nwclntg
nwclnth
NWService
OfcPfwSvc
Outbreak
Manager
Outpost Firewall
OutpostFirewall
PASSRV
PAVAGENTE
PavAtScheduler
PAVDRV
PAVFIRES
PAVFNSVR
Pavkre
PavProc
PavProt
PavPrSrv
PavReport
PAVSRV
PCCPFW
PCC_PFW
PersFW
Personal Firewall
POP3FILT.DLL
PREVSRV
PROTECT.DLL
PSIMSVC
qhwscsvc
wscsvc
Quick Heal
Online Protection
ravmon8
RfwService
SAVFMSE
SAVScan
SBService
schscnt
SECRET.DLL
SharedAccess
SmcService
SNDSrvc
SPBBCSvc
SpiderNT
SweepNet
SWEEPSRV.SYS
Symantec AntiVirus
Client Symantec
Core LC
The_Hacker_Antivirus
Tmntsrv
TmPfw
tmproxy
tmtdi
tm_cfw T_H_S_M V3MonNT
V3MonSvc
Vba32ECM
Vba32ifs
Vba32Ldr
Vba32PP3
VBCompManService
VexiraAntivirus
VFILT
VisNetic
AntiVirus Plug-in
vrfwsvc
vsmon
VSSERV
WinAntivirus
WinRoute
wuauserv
xcomm
Empty

Worm blocks running regedt32.exe and regedit.exe utilities.

In order to check-out its modules updates, worm tries to conduct connection with web sites. The list of these web sites is stored in worm body.

hxxp://www.titanmotors.com/images/1/eml.php
hxxp://veranmaisala.com/1/eml.php
hxxp://wklight.nazwa.pl/1/eml.php
hxxp://yongsan24.co.kr/1/eml.php
hxxp://accesible.cl/1/eml.php
hxxp://hotelesalba.com/1/eml.php
hxxp://amdlady.com/1/eml.php
hxxp://inca.dnetsolution.net/1/eml.php
hxxp://www.auraura.com/1/eml.php
hxxp://avataresgratis.com/1/eml.php
hxxp://beyoglu.com.tr/1/eml.php
hxxp://brandshock.com/1/eml.php
hxxp://www.buydigital.co.kr/1/eml.php
hxxp://camaramafra.sc.gov.br/1/eml.php
hxxp://camposequipamentos.com.br/1/eml.php
hxxp://cbradio.sos.pl/1/eml.php
hxxp://c-d-c.com.au/1/eml.php
hxxp://www.klanpl.com/1/eml.php
hxxp://coparefrescos.stantonstreetgroup.com/1/eml.php
hxxp://creainspire.com/1/eml.php
hxxp://desenjoi.com.br/1/eml.php
hxxp://www.inprofile.gr/1/eml.php
hxxp://www.diem.cl/1/eml.php
hxxp://www.discotecapuzzle.com/1/eml.php
hxxp://ujscie.one.pl/777.gif
hxxp://1point2.iae.nl/777.gif
hxxp://appaloosa.no/777.gif
hxxp://apromed.com/777.gif
hxxp://arborfolia.com/777.gif
hxxp://pawlacz.com/777.gif
hxxp://areal-realt.ru/777.gif
hxxp://bitel.ru/777.gif
hxxp://yetii.no-ip.com/777.gif
hxxp://art4u1.superhost.pl/777.gif
hxxp://www.artbed.pl/777.gif
hxxp://art-bizar.foxnet.pl/777.gif
hxxp://www.jonogueira.com/777.gif
hxxp://asdesign.cz/777.gif
hxxp://ftp-dom.earthlink.net/777.gif
hxxp://www.aureaorodeley.com/777.gif
hxxp://www.autoekb.ru/777.gif
hxxp://www.autovorota.ru/777.gif
hxxp://avenue.ee/777.gif
hxxp://www.avinpharma.ru/777.gif
hxxp://ouarzazateservices.com/777.gif
hxxp://stats-adf.altadis.com/777.gif
hxxp://bartex-cit.com.pl/777.gif
hxxp://bazarbekr.sk/777.gif
hxxp://gnu.univ.gda.pl/777.gif
hxxp://bid-usa.com/777.gif
hxxp://biliskov.com/777.gif
hxxp://biomedpel.cz/777.gif
hxxp://blackbull.cz/777.gif
hxxp://bohuminsko.cz/777.gif
hxxp://bonsai-world.com.au/777.gif
hxxp://bpsbillboards.com/777.gif
hxxp://cadinformatics.com/777.gif
hxxp://canecaecia.com/777.gif
hxxp://www.castnetnultimedia.com/777.gif
hxxp://compucel.com/777.gif
hxxp://continentalcarbonindia.com/777.gif
hxxp://ceramax.co.kr/777.gif
hxxp://prime.gushi.org/777.gif
hxxp://www.chapisteriadaniel.com/777.gif
hxxp://charlesspaans.com/777.gif
hxxp://chatsk.wz.cz/777.gif
hxxp://www.chittychat.com/777.gif
hxxp://checkalertusa.com/777.gif
hxxp://cibernegocios.com.ar/777.gif
hxxp://5050clothing.com/777.gif
hxxp://cof666.shockonline.net/777.gif
hxxp://comaxtechnologies.net/777.gif
hxxp://concellodesandias.com/777.gif
hxxp://www.cort.ru/777.gif
hxxp://donchef.com/777.gif
hxxp://www.crfj.com/777.gif
hxxp://kremz.ru/777.gif
hxxp://dev.jintek.com/777.gif
hxxp://foxvcoin.com/777.gif
hxxp://uwua132.org/777.gif
hxxp://v-v-kopretiny.ic.cz/777.gif
hxxp://erich-kaestner-schule-donaueschingen.de/777.gif
hxxp://vanvakfi.com/777.gif
hxxp://axelero.hu/777.gif
hxxp://kisalfold.com/777.gif
hxxp://vega-sps.com/777.gif
hxxp://vidus.ru/777.gif
hxxp://viralstrategies.com/777.gif
hxxp://svatba.viskot.cz/777.gif
hxxp://Vivamodelhobby.com/777.gif
hxxp://vkinfotech.com/777.gif
hxxp://vytukas.com/777.gif
hxxp://waisenhaus-kenya.ch/777.gif
hxxp://watsrisuphan.org/777.gif
hxxp://www.ag.ohio-state.edu/777.gif
hxxp://wbecanada.com/777.gif
hxxp://calamarco.com/777.gif
hxxp://vproinc.com/777.gif
hxxp://grupdogus.de/777.gif
hxxp://knickimbit.de/777.gif
hxxp://dogoodesign.ch/777.gif
hxxp://systemforex.de/777.gif
hxxp://zebrachina.net/777.gif
hxxp://www.walsch.de/777.gif
hxxp://hotchillishop.de/777.gif
hxxp://innovation.ojom.net/777.gif
hxxp://massgroup.de/777.gif
hxxp://web-comp.hu/777.gif
hxxp://webfull.com/777.gif
hxxp://welvo.com/777.gif
hxxp://www.ag.ohio-state.edu/777.gif
hxxp://poliklinika-vajnorska.sk/777.gif
hxxp://wvpilots.org/777.gif
hxxp://www.kersten.de/777.gif
hxxp://www.kljbwadersloh.de/777.gif
hxxp://www.voov.de/777.gif
hxxp://www.wchat.cz/777.gif
hxxp://www.wg-aufbau-bautzen.de/777.gif
hxxp://www.wzhuate.com/777.gif
hxxp://zsnabreznaknm.sk/777.gif
hxxp://xotravel.ru/777.gif
hxxp://ilikesimple.com/777.gif
hxxp://yeniguntugla.com/777.gif

System recover recommendations

Reboot Windows in Safe Mode.
Use Dr.Web® scanner of free curing utility Dr.Web^® CureIT! to scan local drives. The “Cure” action should be applied for all infected files.
Restore registry from the backup copy.

Important! Before following these recommendations you should set up the mail client you use so that it stores attachments as separate files and not in the body of the database. For example, such storage in TheBat! is enabled as follows: Account — Properties — Files & Directories — Keep attachment files — Separately in a special directory.

Last updated: 2010-02-10 04:42:40 MSK
Total records in virus database: 1030242

Top virus chart

Trojan.DownLoad.37236	8.61%
Win32.HLLM.Netsky.35328	7.91%
Win32.HLLM.MyDoom.49	6.53%
Trojan.DownLoad.47256	6.52%
Win32.HLLM.MyDoom.44	5.99%

Company \| News&Events \| Send a virus \| Online scanner \| Privacy policy \| Site map	More www-resources:
	www.av-desk.com www.freedrweb.com www.drweb-curenet.com	pda.drweb.com estore.drweb.com