What is the Beagle.G worm?

Beagle.G is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email. Beagle.G also attempts to spread across file-sharing networks, such as Kazaa and iMesh, by dropping itself into the directories that contain "shar" in their names.

Also known as: Bagle.G, I-Worm.Bagle.g, WORM_BAGLE.G

When Beagle.G is executed, it performs the following actions:

1. Checks the computer date, and if it is after March 25, 2004, the worm will uninstall itself and exit.
   
   
2. Creates a mutex named "imain_mutex," which allows only one instance of the worm to execute.
   
   
3. Copies itself as %System%\i1ru54n4.exe.
   
   
4. Creates the following files:
   
   • %System%\go54o.exe (A .dll file with a .exe extension. This is a mass-mailer module, 18,944 bytes in size. Virus definitions dated prior to February 28, 2004, detected this file as Beagle.A.)
   • %System%\ii5nj4.exe (A .dll file with an .exe extension, 1536 bytes in size, which loads go54o.exe).
   • %System%\i1ru54n4.exeopen (A .zip file).
     
     
5. Injects the .dll file, go54o.exe, into the address space of the explorer.exe process to hide itself. This .dll file performs the mass-mailing routine.
   
   
6. Adds the value:
   
   "rate.exe"="%System%\i1ru54n4.exe"
   
   to the registry key:
   
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   so that W32.Beagle.G@mm runs when you start Windows.
   
   
7. Adds the value:
   
   "frun"="1"
   
   to the registry key:
   
   HKEY_CURRENT_USER\SOFTWARE\winword
   
   
8. Opens a backdoor on TCP port 2745.
   
   If an attacker sends a specially formatted data message to the port, the worm will allow an arbitrary file to be downloaded to the %Windir% folder. This file will be saved as %Windir%\iuplda<x>.exe, where <x> is a random string of characters.
   
   
9. Notifies the hacker by passing details for connecting with a compromised machine to the remote PHP scripts, located on the following Web sites:
   
   • postertog.de/scr.php
   • www.gfotxt.net/scr.php
   • www.maiklibis.de/scr.php
     
     
10. Attempts to end the following processes, which appear to be programs used to update various antivirus programs:
    
    • ATUPDATER.EXE
    • AUPDATE.EXE
    • AUTODOWN.EXE
    • AUTOTRACE.EXE
    • AUTOUPDATE.EXE
    • AVLTMAIN.EXE
    • AVPUPD.EXE
    • AVWUPD32.EXE
    • AVXQUAR.EXE
    • CFIAUDIT.EXE
    • DRWEBUPW.EXE
    • ICSSUPPNT.EXE
    • ICSUPP95.EXE
    • LUALL.EXE
    • MCUPDATE.EXE
    • NUPGRADE.EXE
    • OUTPOS1T.EXE
    • UPDATE.EXE
      
      
11. Scans the local drives for the email addresses in the files with the following extensions:
    
    • .adb
    • .asp
    • .cfg
    • .dbx
    • .eml
    • .htm
    • .mdx
    • .mmf
    • .nch
    • .ods
    • .php
    • .pl
    • .sht
    • .tbb
    • .txt
    • .wab
    • .xml
      
      
12. Uses its own SMTP engine to send itself to the email addresses found in the above files. This worm contains its own MIME-encoding routine, and it will compose the email in memory and send it to all the email addresses it finds. The email attachment is in the format of an executable, zip or password protected zip file.
    
    
13. To spread across file-sharing networks, such as Kazaa and iMesh, W32.Beagle.F@mm drops itself into folders that contain the string "shar" in their names. The worm picks up file names for the dropped files from the following list:
    
    • ACDSee 9.exe
    • Adobe Photoshop 9 full.exe
    • Ahead Nero 7.exe
    • Matrix 3 Revolution English Subtitles.exe
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Opera 8 New!.exe
    • Porno pics arhive, xxx.exe
    • Porno Screensaver.scr
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Serials.txt.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • WinAmp 6 New!.exe
    • Windown Longhorn Beta Leak.exe
    • Windows Sourcecode update.doc.exe
    • XXX hardcore images.exe

How to Remove the Beagle.G Worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects Beagle.G during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the Beagle.G worm.

1. Disabling System Restore (Windows Me/XP)

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: "How to disable or enable Windows Me/XP System Restore".

2. Removing Autostart Entries from the Registry

1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
2. In the left panel, double-click the following:
   HKEY_CURRENT_USER>Software>Microsoft>
   Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
   rate.exe = "%System%\ i1ru54n4.exe"
   Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
   

3. Removing Other Entries from the Registry

1. Still in the Registry Editor, double-click the following in the left panel:
   HKEY_CURRENT_USER>Software>winword
2. In the same panel, locate and delete the key:
   winword
3. Close Registry Editor.

4. Restarting the System

Since this malware injects malicious codes into the system file EXPLORER.EXE, restarting the system after registry restoration is necessary to remove the traces of this malware from memory.

5. Deleting the Malware Dropped Files

This procedure deletes the malware dropped files during its installation (after you have restarted your system).

1. Open Windows Explorer. Click Start>Run. Type Explorer, then press Enter.
2. In the left-hand panel, double-click access:
   %System%
   Note: %System% is the Windows system folder.
3. Locate and delete the following files:
   i1ru54n4.exe
   go54o.exe
   ii5nj4.exe
   i1ru54n4.exeopen
4. Close Windows Explorer.

6. Updating the virus definitions

If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
2. Run a full system scan.
3. If any files are detected as infected with Beagle.G, click Delete.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Variants: