|
Wednesday, 11 May 2005 |
W32.Beagle.BQ@mm is a mass-mailing worm that uses its own SMTP engine to send out copies of a Trojan.Tooso variant. The worm also opens a back door on the compromised computer on TCP port 80.
Type: Worm
Infection Length: 33,284 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Beagle.BO@mm is executed, it performs the following actions:
Copies itself as the following file:
%System%svc.exe
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Creates the following registry entries:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRu1n
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRu1n
Adds the value:
"erthgdr" = "%System%svc.exe"
to the registry subkey:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRu1n
Note: The worm does not restart when Windows starts due to an error in the subkey name.
Creates the following mutexes, which may prevent variants of Netsky from launching:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
DroppedSkyNet
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Deletes the values:
"9XHtProtect"
"Antivirus "
"EasyAV"
"FirewallSvr"
"HtProtect"
"ICQ Net"
"ICQNet"
"Jammer2nd"
"KasperskyAVEng"
"MsInfo"
"My AV"
"NetDy"
"Norton Antivirus AV"
"PandaAV Engine"
"service"
"SkynetsRevenge"
"Special Firewall Service"
"SysMonXP"
"Tiny AV"
"ZoneLabs Client Ex"
from the following registry subkeys, if present:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRu1n
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRu1n
Attempts to delete the following registry entries and exit, if the date is later than April 12, 2008:
HKEY_CURRENT_USERSOFTWAREert
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRu1n"erthgdr"
Attempts to download a file from a predetermined URL. The worm saves the file as %System%
e_file.exe and then executes it.
Opens a back door on TCP port 80, which may be used as a proxy server.
Attempts to access a Web site on the www.candspc.com and www.newberlinmagazine.com domains, and downloads a file named %Windir%eml.exe.
Note: At the time of writing, this file was not available.
Attempts to email a Trojan.Tooso variant to email addresses that may be contained in the eml.exe file.
The email has the following characteristics:
From: Spoofed
Subject: Blank
Message body:
One of the following:
The password is
Password:
Attachment:
One of the following:
Make.rar
Price.rar
Forest.rar
Jokes.rar
Verses.rar
Fairy_tale.rar
It_about_you.rar
I_know_you.rar
Note: The file may contain an executable file that is a variant of Trojan.Tooso.
The worm will not send itself to addresses containing the following strings:
@avp.
@derewrdgrs
@eerswqe
@foo
@iana
@messagelab
@microsoft
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip
To delete the value from the registry
Click Start > Run.
Type regedit
Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
Navigate to and delete the following subkeys:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRu1n
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRu1n
Exit the Registry Editor. |
