What is the Beagle.E/Bagle.E worm?

Beagle.E is a mass-mailing worm. The worm primarily spreads through e-mail and will be independent of the victim's e-mail client. Beagle.E will also create a security hole, which is also known as a backdoor, on the victim's machine. This backdoor component will allow a remote attacker to penetrate the victim's machine. To create the backdoor functionality, the worm opens TCP port 2745.

The email that the worm constructs has the following characteristics:

• The From field will contain a spoofed e-mail address, which means that the email will most likely contain an email address of someone you know, even if the worm did not originate from that person.
• The Subject field is selected from a list of different phrases available to the worm itself. Thus, the subject line of the email varies from one email to another.
• The Attachment file name field, which is the file name of the worm attached to the email, contains a set of random characters, followed by the file extension ".zip."

Also known as: Bagle.E, I-Worm.Bagle.e, WORM_BAGLE.E, Win32.Bagle.E, W32/Bagle-E

How Does the Beagle.E/Bagle.E Worm Infect My Computer?

• Checks the computer date, and if it is after March 25th, 2004, the worm will quit and uninstall itself.
  
  
• Creates a mutex named "imain_mutex." This mutex allows only one instance of the worm to execute.
  
  
• Copies itself as %System%\i1ru74n4.exe.
  
  
• If a copy of the worm has been executed, and this copy of the worm does not have the file name i1ru74n4.exe, or this copy of the worm does not reside in the System folder, then the worm will also launch the Notepad text editor, notepad.exe.
  
  
• Creates the following files:
  
  • %System%\godo.exe (A .dll file with a .exe extension. This is a mass-mailer module, 18,944 bytes in size. Virus definitions dated prior to February 28, 2004, detected this file as Beagle.B.)
  • %System%\ii455nj4.exe (A .dll file with a .exe extension, 1536 bytes in size, which loads godo.exe.)
  • %System%\i1ru74n4.exeopen (A .zip file.)
    
    
• Injects the .dll file, godo.exe, into the address space of the explorer.exe process to hide itself. This .dll file performs the mass-mailing routine.
  
  
• Adds the value:
  
  "rate.exe"="%System%\i1ru74n4.exe"
  
  to the registry key:
  
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  
  so that W32.Beagle.E@mm runs when you start Windows.
  
  
• Attempts to add the values:
  
  • "uid"="[Random Value]"
  • "port"="2745"
  • "frun"="1"
    
    to the registry key:
    
    HKEY_CURRENT_USER\SOFTWARE\DateTime4
    
    
• Opens a backdoor on TCP port 2745.
  
  If an attacker sends a specially formatted data message to the port, the worm will allow an arbitrary file to be downloaded to the %Windir% folder. This file will be saved as %Windir%\iuplda<x>.exe, where <x> is a random string of characters.
  
  
• Sends HTTP GET requests to the following Web sites on TCP port 80:
  
  • permail.uni-muenster.de
  • www.songtext.net/de
  • www.sportscheck.de
    
    The GET request sends the port number on which the infected computer is listening, the ID number saved in the "uid" value in the Windows registry key above, and the IP address.
    
    
• Attempts to end the following processes, which appear to be responsible for updating the signatures of the various antivirus programs:
  
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AVLTMAIN.EXE
  • AVPUPD.EXE
  • AVWUPD32.EXE
  • AVXQUAR.EXE
  • CFIAUDIT.EXE
  • DRWEBUPW.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • LUALL.EXE
  • MCUPDATE.EXE
  • NUPGRADE.EXE
  • OUTPOST.EXE
  • UPDATE.EXE
    
    
• Scans files with the following extensions on the local drives:
  
  • .wab
  • .txt
  • .htm
  • .html
  • .dbx
  • .mdx
  • .eml
  • .nch
  • .mmf
  • .ods
  • .cfg
  • .asp
  • .php
  • .pl
  • .adb
  • .sht
    
    and collects any email addresses it finds.
    
    
• Uses its own SMTP engine to send itself to the email addresses found. The worm contains its own MIME-encoding routine, and will compose the email in memory.
  

How Can I Remove the Beagle.E/Bagle.E Worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects Beagle.E during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the Beagle.E worm.

1. Disabling System Restore (Windows Me/XP)

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: "How to disable or enable Windows Me/XP System Restore".

2. Updating the virus definitions

If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

• Click Start, and then click Run. (The Run dialog box appears.)
• Type regedit
  
  Then click OK. (The Registry Editor opens.)
  
• Navigate to the key:
  
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  
• In the right pane, delete the value:
  
  "rate.exe"="%System%\i1ru74n4.exe"
  
• Navigate to and delete the key:
  
  HKEY_CURRENT_USER\SOFTWARE\DateTime4
  
• Exit the Registry Editor.
  
• Restart the computer.

1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
2. Run a full system scan.
3. If any files are detected as infected with Beagle.E, click Delete.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Variants: