FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Win32.HLLM.Beagle.32256

(Win32.Bagle.H@mm, Worm:Win32/Bagle.H@mm, Email-Worm.Win32.Bagle.h, Parser error, Backdoor:Win32/Hupigon.CN, W32/Bagle.dll.gen, I-Worm/Bagle, I-Worm/Bagle.H, W32/Bagle.gen@MM, Email-Worm.Win32.Bagle.g, System error, Worm/Bagle.H.GODO, W32.Beagle.I@mm, Email-Worm.Win32.Bagle.bo, Worm.Win32.Bagle.I, WORM_BAGLE.H, W32.Beagle.H@mm, I-Worm/Bagle.I, WORM_Bagle.GEN-1, TR/Dldr.Bagle.BR, W32.Beagle.BP@mm, WORM_BAGLE.I, WORM_BAGLE.GEN, Win32.Bagle.I@mm)

Added to the Dr.Web virus database: 2004-03-01

Virus description added:

Description

Win32.HLLM.Beagle.32256[Beagle.H] is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems.

Being executed, the worm drops its copy i11r54n4.exe to the Windows\\System folder (in Windows 9x/ME it’s C:\\Windows\\System, in Windows NT/2000 it’s C:\\WINNT\\System32, in Windows XP it’s C:\\Windows\\System32) and points to this copy in the system registry:

HKEY_LOCAL_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
\"rate.exe\"=\"%SysDir%\\i11r54n4.exe\"
thus securing its execution at every Windows reboot. The worm also creates its own key
HKEY_CURRENT_USER\\Software\\winexe

It also places several more files to the same folder:

  • i1i5n1j4.exe – a dll with an exe extension, contains a system library downloading procedure
  • go154o.exe – a dll containing the worm’s mass-mailing procedure
  • i11r54n4.exeopen – a zip-archive with the randomly named worm’s executable dispatched at its mass distribution
    • In other details of behaviour it is very similar to Win32.HLLM.Beagle.36352.