W32.Beagle.BH@mm

[Security]

W32.Beagle.BH@mm is a mass-mailing worm that uses its own SMTP engine to send out copies of Trojan.Tooso.B. Trojan.Tooso.B then downloads W32.Beagle.BH@mm on to the compromised computer.

The worm also opens a back door on TCP port 80.

The worm is packed with PeX.

Also Known As: Win32.Bagle.AZ [Computer Associates], W32/Bagle.bn@MM [McAfee], WORM_BAGLE.BE [Trend Micro]


Technical Information

W32.Beagle.BH@mm is reportedly downloaded by Trojan.Tooso.B. Trojan.Tooso.B arrives as an HTML formatted email with an attachment with one of the following names:

• • price.zip
  • price2.zip
  • price_new.zip
  • price_08.zip
  • 08_price.zip
  • newprice.zip
  • new_price.zp
  • new__price.zip

The zip file contains an executable named doc_01.exe which is a copy of Trojan.Tooso.B. There is a mechanism in the code to password-protect the .zip file; however, this does not work.

When W32.Beagle.BH@mm is executed, it performs the following actions:

1. Creates a file named %System%\windlhhl.exe.
   
   Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Creates the following mutexes, some of which prevent variants of Netsky from launching:
   • MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
   • 'D'r'o'p'p'e'd'S'k'y'N'e't'
   • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
   • [SkyNet.cz]SystemsMutex
   • AdmSkynetJklS003
   • ____--->>>>U<<<<--____
   • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
3. Deletes the registry entries:
   
   "My AV"
   "Zone Labs Client Ex"
   "9XHtProtect"
   "Antivirus "
   "Special Firewall Service"
   "service"
   "Tiny AV"
   "ICQNet"
   "HtProtect"
   "NetDy"
   "Jammer2nd"
   "FirewallSvr"
   "MsInfo"
   "SysMonXP"
   "EasyAV"
   "PandaAVEngine"
   "Norton Antivirus AV"
   "KasperskyAVEng"
   "SkynetsRevenge"
   "ICQ Net"
   
   from the registry subkeys:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ru1n
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ru1n
   
   in order to prevent other worms and security-related software from executing on Windows startup.
4. Adds the value:
   
   "erghgjhjgdr" = "%System%\windlhhl.exe"
   
   to the registry key:
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Ru1n
   
   so that it executes every time Windows starts.
5. Attempts to connect to smtp.earthlink.net on port 25 to verify network connectivity. If the worm is unable to connect to the server, it quits.
6. May create the following registry keys:
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Ru1n
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Ru1n
7. If the date is August 10, 2006 or after, the worm simply quits.
8. Attempts to access a Web site on the oceancareers.com domain and download a file as %Windir%\eml.exe. This file may contain email addresses.
   
   Note:
   • At the time of writing, this file was not available for download.
   • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
9. Attempts to email a copy of Trojan.Tooso.B to the email addresses contained in the downloaded file.
   
   The email has the following characteristics:
   
   From:
   Spoofed
   
   Subject:
   Blank
   
   Message:
   The message is an HTML formatted message body and is composed of the following strings:
   New price
   price
   The password is
   Password:
   Pass -
   Password -
   
   Note: The message may include a password for the attachment.
   
   Attachment:
   One of the following:
   • price.zip
   • price2.zip
   • price_new.zip
   • price_08.zip
   • 08_price.zip
   • newprice.zip
   • new_price.zip
   • new__price.zip
     
     Notes:
   • There is a mechanism in the code to password-protect the zip file, but due to bugs in the code, this does not occur.
   • The .zip file contains a copy of Trojan.Tooso.B
10. When sending mail, the worm attempts to use the MX record mail server of the domain of the receipient email address. The worm contacts the DNS server 217.5.97.137 on port 53 TCP to obtain MX records.
11. Opens a backdoor on TCP port 80 which allows remote users to upload files.
12. Attempts to download a file from itself via the backdoor on TCP port 80 as http://localhost/script1.php and save and execute the file as %System%\_re_file.exe.
    
    Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

[Nuclear Dish]

Do you have to click on the .exe within the .zip file to infect your machine with teh worm, or will your computer become infected just from having clicked on the .zip file?

[Nuclear Dish]

So the latest is that I have searched my hard drive for the windlhhl.exe file, and can't find it anywhere. So am I now to assume that I'm in the clear? Should I do a regedit anyway and be sure that now values were added to my registry?

[Security]

Hi Nuclear Dish, and so sorry that you've experienced this scare - the problem is more one of whether you have actually run the program or not. Unzipping contents of a package containing a virus/trojan/worm is certainly not advisable practice, but so long as the actual executable file at the core of the virus package has not been run, there is a good chance of being safe.

You've done the right thing in trying to isolate if such a file exists on your machine, so about the best you can do now is simply to ensure that your virus protection is reputable and up-to-date, and additionally that you have a good Firewall (such as Zonealarm). In doing so, that should help your machine pick up such an infection and also ensure that the actual damage it can do is limited.

Hope that helps, and best of luck.

[portis]

simply download xoftspy from www.free-scanner.com and get rid of thepest

[vicki2]

free scanner is great ...many thanks for the recommendation of it!
much appreciated!