What is the Beagle.C worm?

Beagle.C is a mass-mailing worm that accesses remote Web sites and sends email to any addresses it finds using its own SMTP engine.

Also known as: W32.Beagle.A@mm, W32/Bagle.c@MM, WORM_BAGLE.C, Win32.Bagle.C, W32/Bagle-C, I-Worm.Bagle.c

How Does the Beagle.C Worm Infect My Computer?

1. Checks the computer date, and if it is after March 14, 2004, the worm will exit.
   
   
2. Creates a mutex named "imain_mutex," which allows only one instance of the worm to execute.
   
   
3. If the worm is not executed from %System%\readme.exe, it will launch notepad.exe, which is the Notepad text editor.
   
   
4. Copies itself as %System%\readme.exe.
   
   
5. Creates the following files:
   
   • %System%\onde.exe (18,944 bytes): DLL file, mass-mailer module, detected as W32.Beagle.A@mm
   • %System%\doc.exe (1,536 bytes): DLL file, the loader of onde.exe
   • %System%\readme.exeopen (15,994 bytes): ZIP file
     
     
6. Injects onde.exe as a DLL into the address space of the explorer.exe process. This DLL performs the mass mailing.
   
   
7. Adds the value:
   
   "gouday.exe"="%System%\readme.exe"
   
   to the registry key:
   
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   so that W32.Beagle.C@mm runs when you start Windows.
   
   
8. Adds the values:
   
   "uid"="[Random Value]"
   "port"="2745"
   "frun"="1"
   
   to the registry key:
   
   HKEY_CURRENT_USER\SOFTWARE\DateTime2
   
   The attacker uses the random value inserted in the "uid" value as a unique identifier.
   
   
9. Opens a backdoor on TCP port 2745.
   
   If an attacker sends a specially formatted data message to the port, the worm will allow an arbitrary file to be downloaded to the %Windir% folder. This file will be saved as %Windir%\iuplda<x>.exe, where <x> is a random string of characters.
   
   
10. Sends HTTP GET requests to the following Web sites on TCP port 80:
    
    • permail.uni-muenster.de
    • www.songtext.net/de
    • www.sportscheck.de
      
      
      The GET request includes the port number on which the infected computer listens, and the ID number saved in the "uid" key in the Windows registry. Also, by connecting to the Web server, the IP address is sent.
      
      
11. Attempts to end the following processes, which appear to be responsible for updating the signatures of the various antivirus programs:
    
    • ATUPDATER.EXE
    • AVWUPD32.EXE  
    • AVPUPD.EXE    
    • LUALL.EXE    
    • DRWEBUPW.EXE  
    • ICSSUPPNT.EXE
    • ICSUPP95.EXE  
    • UPDATE.EXE    
    • NUPGRADE.EXE  
    • ATUPDATER.EXE
    • AUPDATE.EXE  
    • AUTODOWN.EXE  
    • AUTOTRACE.EXE
    • AUTOUPDATE.EXE
    • AVXQUAR.EXE  
    • CFIAUDIT.EXE  
    • MCUPDATE.EXE  
    • NUPGRADE.EXE  
    • OUTPOST.EXE  
    • AVLTMAIN.EXE  
      
      
12. Scans the local drives for the email addresses in the files with the following extensions:
    
    • .wab
    • .txt
    • .htm
    • .html
    • .dbx
    • .mdx
    • .eml
    • .nch
    • .mmf
    • .ods
    • .cfg
    • .asp
    • .php
    • .pl
    • .adb
    • .sht
      
      
13. Uses its own SMTP engine to send itself to the email addresses found in those files. This worm contains its own MIME-encoding routine, and it will compose the email in memory and send it to all the email addresses it finds.
    

How to Remove the Beagle.C Worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects Beagle.C during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the Beagle.C worm.

1. Disabling System Restore (Windows Me/XP)

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: "How to disable or enable Windows Me/XP System Restore".

2. Reversing the changes that the worm made to the registry and restart the computer

1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit
   
   Then click OK. (The Registry Editor opens.)
   
   
3. Navigate to the key:
   
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   
4. In the right pane, delete the value:
   
   "gouday.exe"="%System%\readme.exe"
   
   
5. Navigate to the key:
   
   HKEY_CURRENT_USER\SOFTWARE\DateTime2
   
   
6. In the right pane, delete the values:
   
   "uid"="[Random Value]"
   "port"="2745"
   "frun"="1"
   
   
7. Exit the Registry Editor.
   
   
8. Restart the computer.

3. Updating the virus definitions

If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
2. Run a full system scan.
3. If any files are detected as infected with Beagle.C, click Delete.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Variants: