What
is the Beagle.D worm?
Also known as: Bagle.D
This variant of Beagle.C
spreads via email by sending out messages with
the following details:
From: (address is spoofed or forged)
Subject: (any of the following)
Accounts department
Ahtung!
Camila
Daily activity report
Flayers among us
Freedom for everyone
From Hair-cutter
From me
Greet the day
Hardware devices price-list
......
Message body: (blank)
Attachment: <random file name>.zip
When executed, this worm drops the following
files in the Windows system folder:
- README.EXE - worm copy
- ONDE.EXE - DLL mailing component
- DOC.EXE - DLL loader component
- README.EXEOPEN - contains the randomly-named
zipped copy of README.EXE that is used as the
worm email attachment
Note that if this worm is executed as a file
with a name and location other than README.EXE in
the Windows system folder, it opens a blank
Notepad (NOTEPAD.EXE) window.
This worm opens port 2745 and receives remote
commands through this port. It sends a
notification by contacting certain Web sites. It
may contact also a remote machine at 151.201.0.39
for DNS services.
It also attempts to terminate certain
processes that are used by antivirus software to
update their signatures.
How to Remove the Beagle.D Worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Beagle.D during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
Follow these steps
in removing the Beagle.D worm.
1. Disabling System Restore (Windows Me/XP)
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: "How
to disable or enable Windows Me/XP System Restore".
2. Removing Autostart Entries from the
Registry
- Open Registry Editor. To do this, click
Start>Run, type Regedit, then press Enter.
- In the left panel, double-click the
following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
- In the right panel, locate and delete the
entry:
gouday.exe = "%System%\readme.exe"
Note: %System% is the Windows system
folder, which is usually C:\Windows\System on
Windows 95, 98 and ME, C:\WINNT\System32 on
Windows NT and 2000, and C:\Windows\System32
on Windows XP.
3. Removing Other Entries from the Registry
- Still in the Registry Editor, double-click
the following in the left panel:
HKEY_CURRENT_USER>Software>DateTime3
- In the same panel, locate and delete the
key:
DateTime3
- Close Registry Editor.
4. Deleting the Malware Dropped Files
This procedure deletes the malware dropped
files during its installation.
- Open Windows Explorer. Click Start>Run.
Type Explorer, then press Enter.
- In the left-hand panel, double-click access:
C:\WINNT\System32
- Locate and delete the following file:
README.EXEOPEN
- Close Windows Explorer.
5. Updating the virus definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
6. Run a full system scan and delete all the
files detected as Beagle.D.
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with Beagle.D, click Delete.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other
Variants:
| 
