What is the Beagle.J/Bagle.J worm?

Beagle.J is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email. It also sends the attacker the port on which the backdoor listens, as well as the IP address. Beagle.J also attempts to spread through file-sharing networks, such as Kazaa and iMesh, by dropping itself into the folders that contain "shar" in their names.

The email has the following characteristics:
From: spoofed to appear as though its coming from the one of the following addresses at the recipient's domain:

• management
• administration
• staff
• noreply
• support

Also known as: Bagle.J, I-Worm.Bagle.j, WORM_BAGLE.J, Win32.Bagle.J, W32/Bagle-J

How Does the Beagle.J/Bagle.J Worm Infect My Computer?

• Copies itself as %System%\irun4.exe.
  
  
• Creates the file %System%\irun4.exeopen, which is a .zip file with password protection. The password is randomly assigned and is included in the text portion of the mail message.
  
  
• Adds the value:
  
  "srate.exe"="%System%\irun4.exe"
  
  to the registry key:
  
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  
  so that W32.Beagle.J@mm runs when you start Windows.
  
  
• Opens a backdoor on TCP port 2745.
  
  If an attacker sends a specially formatted data message to the port, the worm will allow an arbitrary file to be downloaded to the %Windir% folder. This file will be saved as %Windir%\iuplda<x>.exe, where <x> is a random string of characters.
  
  
• Sends HTTP GET requests to the following Web sites on TCP port 80:
  
  • postertog.de
  • www.gfotxt.net
  • www.maiklibis.de
    
    The GET request sends the port number on which the infected computer is listening, and the IP address.
    
    
• Attempts to end the following processes, which are responsible for updating signatures of various antivirus programs:
  
  • Atupdater.exe
  • Aupdate.exe
  • Autodown.exe
  • Autotrace.exe
  • Autoupdate.exe
  • Avltmain.exe
  • Avpupd.exe
  • Avwupd32.exe
  • Avxquar.exe
  • Cfiaudit.exe
  • Drwebupw.exe
  • Icssuppnt.exe
  • Icsupp95.exe
  • Luall.exe
  • Mcupdate.exe
  • Nupgrade.exe
  • Outpost.exe
  • Update.exe
    
    
• Scans files on the local drives with the following extensions:
  
  • .wab
  • .txt
  • .msg
  • .htm
  • .xml
  • .dbx
  • .mdx
  • .eml
  • .nch
  • .mmf
  • .ods
  • .cfg
  • .asp
  • .php
  • .pl
  • .adb
  • .tbb
  • .sht
  • .uin
  • .cgi
    
    and collects any email addresses it finds.
    
    
• To spread across file-sharing networks, such as Kazaa and iMesh, W32.Beagle.J@mm drops itself into folders that contain the string "shar" in their names. The worm uses file names from the following list:
  
  • ACDSee 9.exe
  • Adobe Photoshop 9 full.exe
  • Ahead Nero 7.exe
  • Matrix 3 Revolution English Subtitles.exe
  • Microsoft Office 2003 Crack, Working!.exe
  • Microsoft Office XP working Crack, Keygen.exe
  • Microsoft Windows XP, WinXP Crack, working Keygen.exe
  • Opera 8 New!.exe
  • Porno pics arhive, xxx.exe
  • Porno Screensaver.scr
  • Porno, sex, oral, anal cool, awesome!!.exe
  • Serials.txt.exe
  • WinAmp 5 Pro Keygen Crack Update.exe
  • WinAmp 6 New!.exe
  • Windown Longhorn Beta Leak.exe
  • Windows Sourcecode update.doc.exe
  • XXX hardcore images.exe
    
    
• Uses its own SMTP engine to send itself to the email addresses found. The worm contains its own MIME-encoding routine and will compose the email in memory.
  

How Can I Remove the Beagle.J/Bagle.J Worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects Beagle.J during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the Beagle.J worm.

1. Disabling System Restore (Windows Me/XP)

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: "How to disable or enable Windows Me/XP System Restore".

2. Updating the virus definitions

If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit
   
   Then click OK. (The Registry Editor opens.)
   
   
3. Navigate to the key:
   
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   
4. In the right pane, delete the value:
   
   "srate.exe"="%System%\irun4.exe"
   
   
5. Exit the Registry Editor.
   
   
6. Restart the computer.

1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
2. Run a full system scan.
3. If any files are detected as infected with Beagle.J, click Delete.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Variants: