FOR CUSTOMERS

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.HLLM.Beagle.32256

(Win32.Bagle.H@mm, Worm:Win32/Bagle.H@mm, Email-Worm.Win32.Bagle.h, Parser error, Backdoor:Win32/Hupigon.CN, W32/Bagle.dll.gen, I-Worm/Bagle, I-Worm/Bagle.H, W32/Bagle.gen@MM, Email-Worm.Win32.Bagle.g, System error, Worm/Bagle.H.GODO, W32.Beagle.I@mm, Email-Worm.Win32.Bagle.bo, Worm.Win32.Bagle.I, WORM_BAGLE.H, W32.Beagle.H@mm, I-Worm/Bagle.I, WORM_Bagle.GEN-1, TR/Dldr.Bagle.BR, W32.Beagle.BP@mm, WORM_BAGLE.I, WORM_BAGLE.GEN, Win32.Bagle.I@mm)

Added to the Dr.Web virus database: 2004-03-01

Virus description added:

Description

Win32.HLLM.Beagle.32256[Beagle.H] is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems.

Being executed, the worm drops its copy i11r54n4.exe to the Windows\\System folder (in Windows 9x/ME it’s C:\\Windows\\System, in Windows NT/2000 it’s C:\\WINNT\\System32, in Windows XP it’s C:\\Windows\\System32) and points to this copy in the system registry:

HKEY_LOCAL_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
\"rate.exe\"=\"%SysDir%\\i11r54n4.exe\"

thus securing its execution at every Windows reboot. The worm also creates its own key
HKEY_CURRENT_USER\\Software\\winexe

It also places several more files to the same folder:

  • i1i5n1j4.exe – a dll with an exe extension, contains a system library downloading procedure
  • go154o.exe – a dll containing the worm’s mass-mailing procedure
  • i11r54n4.exeopen – a zip-archive with the randomly named worm’s executable dispatched at its mass distribution
  • In other details of behaviour it is very similar to Win32.HLLM.Beagle.36352.

    © Doctor Web
    2003 — 2022

    Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies