What
is the Beagle.M worm?
The Beagle.M is a polymorphic mass-mailing
worm that uses its own SMTP engine to spread
through email. Like previous Beagle variants,
this worm opens a backdoor (it listens on TCP
port 2556) and attempts to spread through
file-sharing networks by copying itself to
folders that contain "shar" in their
names. Beagle.M also infects files with the EXE
extension.
Also known as: Win32.Bagle.N,
Bagle.N, W32/Bagle.n@MM, W32/Bagle.N, W32/Bagle-N,
PE_BAGLE.N
When Beagle.M is executed, it performs the
following actions:
- Creates the following files:
- %System%\winupd.exe: A copy of the worm.
- %System%\winupd.exeopen: A copy of the
worm.
- %System%\winupd.exeopenopen: Either a
copy of the worm, a password-protected
zip, or an rar file that contains the
worm.
- %System%\winupd.exeopenopenopen: A .bmp
file containing an image of the password
for the zip/rar file. This file is only
created if winupd.exeopenopen is a
password-protected archive.
- Adds the value:
"winupd.exe"="%System%\winupd.exe"
to the registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that Beagle.M runs when you start
Windows.
- Terminates the following processes, which
include antivirus software, processes
associated with other worms, and system
utilities such as regedit and netstat:
- AGENTSVR.EXE
- ANTI-TROJAN.EXE
- ANTIVIRUS.EXE
- ANTS.EXE
- APIMONITOR.EXE
- APLICA32.EXE
- APVXDWIN.EXE
- ATCON.EXE
- ATGUARD.EXE
- ATRO55EN.EXE
- ATUPDATER.EXE
- ......
- Deletes the following values:
- 9XHtProtect
- Antivirus
- HtProtect
- ICQ Net
- ICQNet
- My AV
- Special Firewall Service
- Tiny AV
- Zone Labs Client Ex
- service
from the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Opens a backdoor on TCP port 2556.
If an attacker sends a specially formatted
data message to the port, the worm will allow
an arbitrary file to be downloaded to the %Windir%
folder. This file will be saved as %Windir%\iuplda<x>.exe,
where <x> is a random string of
characters.
- Attempts to spread across file-sharing
networks, such as Kazaa and iMesh, by copying
itself into folders that contain the string
"shar" in their names. The worm uses
the following file names:
- ACDSee 9.exe
- Adobe Photoshop 9 full.exe
- Ahead Nero 7.exe
- Matrix 3 Revolution English
Subtitles.exe
- Microsoft Office 2003 Crack,
Working!.exe
- Microsoft Office XP working Crack,
Keygen.exe
- Microsoft Windows XP, WinXP Crack,
working Keygen.exe
- Opera 8 New!.exe
- Porno Screensaver.scr
- Porno pics arhive, xxx.exe
- Porno, sex, oral, anal cool,
awesome!!.exe
- Serials.txt.exe
- WinAmp 5 Pro Keygen Crack Update.exe
- WinAmp 6 New!.exe
- Windown Longhorn Beta Leak.exe
- Windows Sourcecode update.doc.exe
- XXX hardcore images.exe
- Searches local fixed drives and attempts to
infect the files with the EXE extension. The
infection routine is polymorphic and appends
the worm to the file.
- Searches local fixed drives for the files
with the following extensions, and collects
email addresses from them:
- adb
- asp
- cfg
- cgi
- dbx
- dhtm
- eml
- htm
- jsp
- mbx
- mdx
- mht
- mmf
- msg
- nch
- ods
- oft
- php
- pl
- sht
- shtm
- stm
- tbb
- txt
- uin
- wab
- wsh
- xls
- xml
- Uses its own SMTP engine to send itself to
the email addresses it collected. The worm
contains its own MIME-encoding routine and
will compose the email in memory.
10. The worm will not send email messages to
the addresses containing any of the following
strings:
- @avp.
- @foo
- @hotmail.com
- @iana
- @messagelab
- @microsoft
- @msn
- abuse
- admin
- anyone@
- bsd
- bugs@
- cafee
- certific
- contract@
- f-secur
- feste
- free-av
- gold-certs@
- google
- help@
- icrosoft
- info@
- kasp
- linux
- listserv
- local
- nobody@
- noone@
- noreply
- ntivi
- panda
- pgp
- postmaster@
- rating@
- root@
- samples
- sopho
- spam
- support
- unix
- winrar
- winzip
How to Remove the Beagle.M Worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Beagle.M during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
Follow these steps
in removing the Beagle.M worm.
1. Disabling System Restore (Windows Me/XP)
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: "How
to disable or enable Windows Me/XP System Restore".
2. Terminating the Malware Program
- Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
- In the list of running programs*, locate the
process:
WINUPD or WINUPD.EXE
- Select the malware process, then press
either the End Task or the End Process button,
depending on the version of Windows on your
system.
- To check if the malware process has been
terminated, close Task Manager, and then open
it again.
- Close Task Manager.
3. Removing Autostart Entries from the
Registry
- Open Registry Editor. To do this, click
Start>Run, type Regedit, then press Enter.
- In the left panel, double-click the
following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
- In the right panel, locate and delete the
entry:
"winupd.exe"="%System%\winupd.exe"
Note: %System% is the Windows system
folder, which is usually C:\Windows\System on
Windows 95, 98 and ME, C:\WINNT\System32 on
Windows NT and 2000, and C:\Windows\System32
on Windows XP.
4. Removing Other Entries from the Registry
- Still in the Registry Editor, double-click
the following in the left panel:
HKEY_CURRENT_USER>winupd
- Close Registry Editor.
5. Deleting the Malware Dropped Files
This procedure deletes the malware dropped
files during its installation (after you have
restarted your system).
- Right-click Start then click Search. or
Find. depending on your version of Windows.
- In the Named input box, type:
WINUPD.EXE;WINUPD.EXEOPEN;WINUPD.EXEOPENOPEN;
WINUPD.EXEOPENOPENOPEN
- In the Look In drop-down list, select the
drive which contains Windows, then press
Enter.
- Once located, select the files then press
Delete.
6. Updating the virus definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
7. Run a full system scan and delete all the
files detected as Beagle.M.
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with Beagle.M, click Delete.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other
Variants:
|
