FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY ID
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Win32.HLLM.Beagle.28160

(WORM_BAGLE.D, Worm/Bagle.F.DOC, W32/Bagle.dll.gen, Email-Worm.Win32.Bagle.e, System error, W32.Beagle.gen, Win32.Worm.Bagle.e, WORM_BAGLE.GEN, I-Worm/Bagle.E, WORM_BAGLE.C, Win32.Worm.Bagle.c, Win32.Bagle.E@mm, Email-Worm.Win32.Bagle.c, Email-Worm.Win32.Bagle.d, Win32/Bagle.C!DLL2!Worm, WORM_BAGLE.E, I-Worm/Bagle.C, Worm:Win32/Bagle.E@mm, Win32.Bagle.D@mm, Win32.Worm.Bagle.d)

Added to the Dr.Web virus database: 2004-02-28

Virus description added:

Description

Win32.HLLM.Beagle.28160 (Beagle.C) is a mass-mailing worm hitting computers which are running under Windows 95/98/Me/NT/2000/XP. It arrives as an executable module packed with UPX compression utility. The packed file size is 15, 872 bytes. It may spread via e-mail as a zip-archive which size is 15, 944 bytes.

Launching

Being activated, the worm points to its copy in the system registry:

HKEY_LOCAL_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
\"gouday.exe\" = \"%SysDir%\\readme.exe\",
thus securing its subsequent launch at every Windows-session.

Spreading

the worm disseminates via e-mail, sending itself with the help of its own SMTP engine. The executable module of the worm is distributed inside the zip-archive attached to the message. The name for the archive is randomly chosen. The worm retrieves addresses for propagation from the files with the following extensions: 

         .wab 
         .txt 
         .htm 
         .html 
         .dbx 
         .mdx 
         .eml 
         .nch 
         .mmf 
         .ods 
         .cfg 
         .asp 
         .php 
         .pl 
         .adb 
         .sht
The address containing the following strings are excluded from the search: 
         @hotmail.com 
         @msn.com 
         @microsoft 
         @avp. 
         noreply 
         local 
         root@ 
         postmaster@
The subject of the message the worm distributes itself with may be one of the following: 
        Price
        New Price-list
        Hardware devices price-list
        Weekly activity report
        Daily activity report
        Maria
        Jenny
        Jessica
        Registration confirmation
        USA government abolishes the capital punishment
        Freedom for everyone
        Flayers among us
        From Hair-cutter
        Melissa
        Camila
        Price-list
        Pricelist
        Price list
        Hello my friend
        Hi!
        Well...
        Greet the day
        The account
        Looking for the report
        You really love me? he he
        You are dismissed
        Accounts department
        From me
        Monthly incomings summary
        The summary
        Proclivity to servitude
        Ahtung!
        The employee

Action

Being executed, the worm creates its copy in the Windows\\System folder (in Windows 9x/ME it’s C:\\Windows\\System, in Windows NT/2000 it’s C:\\WINNT\\System32, in Windows XP it’s C:\\Windows\\System32) and also drops several more files to the same folder:

  • doc.exe – procedure loading a system library
  • onde.exe - system library containing the mass-mailing procedure to send out the worm via e-mail
  • readme.exeopen - a zip-archive with the worm\'s executable module, randomly named; this archive file is mail out by the worm
    • The worm injects its mass mailing procedure to the address space of Explorer. Besides, it opens port 2745 and starts listening the Internet waiting for external instructions from its creator. Thus, the worm does not exist as an independent process in memory, it actually parasitize in one of the main process of Windows.

    The backdoor procedure run by the worm, contains one more destructive feature. It blocks execution of different virus updating applications of the following antivirus programs: 

              ATUPDATER.EXE
          AVWUPD32.EXE
          AVPUPD.EXE
          LUALL.EXE
          DRWEBUPW.EXE
          ICSSUPPNT.EXE
          ICSUPP95.EXE
          UPDATE.EXE
          NUPGRADE.EXE
          ATUPDATER.EXE
          AUPDATE.EXE
          AUTODOWN.EXE
          AUTOTRACE.EXE
          AUTOUPDATE.EXE
          AVXQUAR.EXE
          CFIAUDIT.EXE
          MCUPDATE.EXE
          NUPGRADE.EXE
          OUTPOST.EXE
          AVLTMAIN.EXE
    Pay attention, that Dr.Web updating utility (DRWEBUPW.EXE) is on the list too and this makes difficult worm’s detection by antivirus means. If you failed to run the updating utility we recommend to delete from the system registry the entry pointing to the worm’s copy (see above) and then reboot the system. This time the updating utility will normally function.

    besides, the backdoor procedure makes attempts to connect to the following web sites: 

             http: // permail.uni-muenster.de/
         http: // www. songtext.net/de/
         http: // www. sportscheck.de/
    and send there a number of the port opened and the ID of the infected system to PHP-application.

    If the system date in the infected machine equals or exceeds March 14, the worm immediately terminates.