What is the Beagle.H worm?

Beagle.H is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email. It also sends the attacker the port on which the backdoor listens, as well as the IP address. The email attachment is a randomly named .exe file inside a .zip file. The embedded .exe file is password-protected with a random password.

Also known as: W32/Bagle.h, W32/Bagle-H, I-Worm.Bagle.Gen, WORM_BAGLE.H

When Beagle.H is executed, it performs the following actions:

1. Creates the mutex named "imain_mutex." This mutex allows only one instance of the worm to execute.
   
   
2. Copies itself as %System%\i11r54n4.exe.
   
   
   If the worm is not executed from %System%\i11r54n4.exe, it will launch Notepad.exe.
   
   
3. Creates the following files:
   • %System%\go154o.exe: This is a .dll file with a .exe extension. This is a mass-mailer module, 19,968 bytes in size. This file is detected as W32.Beagle.A@mm.
   • %System%\i1i5n1j4.exe: This is a .dll file with a .exe extension, 1536 bytes in size, which loads go154o.exe.
   • %System%\i11r54n4.exeopen: This is a .zip file with password protection. The password is randomly assigned and is included in the text portion of the mail message.
     
     
4. Injects the .dll file, go154o.exe, into the address space of the Explorer.exe process to hide itself. This .dll file performs the mass-mailing routine.
   
   
5. Adds the value:
   
   "rate.exe"="%System%\i11r54n4.exe"
   
   to the registry key:
   
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   so that W32.Beagle.H@mm runs when you start Windows.
   
   
6. Opens a backdoor on TCP port 2745.
   
   If an attacker sends a specially formatted data message to the port, the worm will allow an arbitrary file to be downloaded to the %Windir% folder. This file will be saved as %Windir%\iuplda<x>.exe, where <x> is a random string of characters.
   
   
7. Sends HTTP GET requests to the following Web sites on TCP port 80:
   
   postertog.de
   www.gfotxt.net
   www.maiklibis.de
   
   The GET request sends the port number on which the infected computer is listening, and the IP address.
   
   
8. Attempts to end the following processes, which are responsible for updating signatures of various antivirus programs:
   • Atupdater.exe
   • Aupdate.exe
   • Autodown.exe
   • Autotrace.exe
   • Autoupdate.exe
   • Avltmain.exe
   • Avpupd.exe
   • Avwupd32.exe
   • Avxquar.exe
   • Cfiaudit.exe
   • Drwebupw.exe
   • Icssuppnt.exe
   • Icsupp95.exe
   • Luall.exe
   • Mcupdate.exe
   • Nupgrade.exe
   • Outpost.exe
   • Update.exe
     
     
9. Scans files on the local drives if the files have the following extensions:
   .wab
   .txt
   .htm
   .html
   .dbx
   .mdx
   .eml
   .nch
   .mmf
   .ods
   .cfg
   .asp
   .php
   .pl
   .adb
   .sht
   
   and collects any email addresses it finds.
   
   
10. Uses its own SMTP engine to send itself to the email addresses found. The worm contains its own MIME-encoding routine and will compose the email in memory.
    
    
    The worm will not send email messages to addresses containing any of the following strings:
    • .gr
    • @hotmail.com
    • @msn.com
    • @microsoft
    • @avp.
    • noreply
    • local
    • root@
    • postmaster@
      
      
11. To spread across file-sharing networks, such as Kazaa and iMesh, W32.Beagle.H@mm drops itself into folders that contain the string "shar" in their names. The worm uses the file names from the following list:
    
    • ACDSee 9.exe
    • Adobe Photoshop 9 full.exe
    • Ahead Nero 7.exe
    • Matrix 3 Revolution English Subtitles.exe
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Opera 8 New!.exe
    • Porno pics arhive, xxx.exe
    • Porno Screensaver.scr
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Serials.txt.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • WinAmp 6 New!.exe
    • Windown Longhorn Beta Leak.exe
    • Windows Sourcecode update.doc.exe
    • XXX hardcore images.exe

How to Remove the Beagle.H Worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects Beagle.H during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the Beagle.H worm.

1. Disabling System Restore (Windows Me/XP)

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: "How to disable or enable Windows Me/XP System Restore".

2. Removing Autostart Entries from the Registry

1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
2. In the left panel, double-click the following:
   HKEY_CURRENT_USER>Software>Microsoft>
   Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
   rate.exe = "%System%\I11R54N4.EXE"
   Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
   

3. Removing Other Entries from the Registry

1. Still in the Registry Editor, double-click the following in the left panel:
   HKEY_CURRENT_USER>Software>
2. In the same panel, locate and delete the key:
   winexe
3. Close Registry Editor.

4. Restarting the System

Since this malware injects malicious codes into the system file EXPLORER.EXE, restarting the system after registry restoration is necessary to remove the traces of this malware from memory.

5. Deleting the Malware Dropped Files

This procedure deletes the malware dropped files during its installation (after you have restarted your system).

1. Open Windows Explorer. Click Start>Run. Type Explorer, then press Enter.
2. In the left-hand panel, double-click access:
   %System%
   Note: %System% is the Windows system folder.
3. Locate and delete the following files:
   GO154O.EXE
   I11R54N4.EXE
   I11R54N4.EXEOPEN
   I1I5N1J4.EXE
4. Close Windows Explorer.

6. Updating the virus definitions

If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
2. Run a full system scan.
3. If any files are detected as infected with Beagle.H, click Delete.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Variants: