What is the Beagle.N worm?

Beagle.N is a polymorphic mass-mailing worm that uses its own SMTP engine to spread through email. Like previous Beagle variants, this worm opens a backdoor (it listens on TCP port 2556), and attempts to spread through file-sharing networks by copying itself to the folders that contain "shar" in their names. Beagle.N also infects files with the EXE extension.

Also known as: Win32.Bagle.O, Bagle.P@mm, W32/Bagle.p@MM, W32/Bagle.O, W32/Bagle-O, PE_BAGLE.P

When Beagle.N is executed, it performs the following actions:

1. Creates the following files:
   
   • %System%\winupd.exe: A copy of the worm.
   • %System%\winupd.exeopen: A copy of the worm.
   • %System%\winupd.exeopenopen: either a copy of the worm, or a password-protected zip or rar file that contains the worm.
   • %System%\winupd.exeopenopenopen: A .bmp file containing an image of the password for the zip/rar file. This file is only created if winupd.exeopenopen is a password-protected archive.
     
     
2. Adds the value:
   
   "winupd.exe"="%System%\winupd.exe"
   
   to the registry key:
   
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   so that Beagle.N runs when you start Windows.
   
   
3. Terminates the following processes, which include antivirus software, processes associated with other worms, and system utilities such as regedit and netstat:
   
   • AGENTSVR.EXE
   • ANTI-TROJAN.EXE
   • ANTIVIRUS.EXE
   • ANTS.EXE
   • APIMONITOR.EXE
   • APLICA32.EXE
   • APVXDWIN.EXE
   • ATCON.EXE
   • ATGUARD.EXE
   • ATRO55EN.EXE
   • ......
     
     
4. Deletes the following values:
   
   9XHtProtect
   Antivirus
   HtProtect
   ICQ Net
   ICQNet
   My AV
   Special Firewall Service
   Tiny AV
   Zone Labs Client Ex
   service
   
   from the registry keys:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
   
   
5. Opens a backdoor on TCP port 2556.
   
   If an attacker sends a specially formatted data message to the port, the worm will allow an arbitrary file to be downloaded to the %Windir% folder. This file will be saved as %Windir%\iuplda<x>.exe, where <x> is a random string of characters.
   
   
6. Attempts to spread across file-sharing networks, such as Kazaa and iMesh, by copying itself into folders that contain the string "shar" in their names. The worm uses the following file names:
   
   • ACDSee 9.exe
   • Adobe Photoshop 9 full.exe
   • Ahead Nero 7.exe
   • Matrix 3 Revolution English Subtitles.exe
   • Microsoft Office 2003 Crack, Working!.exe
   • Microsoft Office XP working Crack, Keygen.exe
   • Microsoft Windows XP, WinXP Crack, working Keygen.exe
   • Opera 8 New!.exe
   • Porno Screensaver.scr
   • Porno pics arhive, xxx.exe
   • Porno, sex, oral, anal cool, awesome!!.exe
   • Serials.txt.exe
   • WinAmp 5 Pro Keygen Crack Update.exe
   • WinAmp 6 New!.exe
   • Windown Longhorn Beta Leak.exe
   • Windows Sourcecode update.doc.exe
   • XXX hardcore images.exe
     
     
7. Searches local fixed drives and attempts to infect the .exe files. The infection routine is polymorphic and appends the worm to the file.
   
   
8. Searches local fixed drives for the files with the following extensions, and collects email addresses from them:
   
   • adb
   • asp
   • cfg
   • cgi
   • dbx
   • dhtm
   • eml
   • htm
   • jsp
   • mbx
   • mdx
   • mht
   • mmf
   • msg
   • nch
   • ods
   • oft
   • php
   • pl
   • sht
   • shtm
   • stm
   • tbb
   • txt
   • uin
   • wab
   • wsh
   • xls
   • xml
     
     
9. Uses its own SMTP engine to send itself to the email addresses it collected. The worm contains its own MIME-encoding routine and will compose the email in memory.
   
   

• @avp.
• @foo
• @hotmail.com
• @iana
• @messagelab
• @microsoft
• @msn
• abuse
• admin
• ......

How to Remove the Beagle.N Worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects Beagle.N during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the Beagle.N worm.

1. Disabling System Restore (Windows Me/XP)

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: "How to disable or enable Windows Me/XP System Restore".

2. Terminating the Malware Program

1. Open Windows Task Manager.
   On Windows 95/98/ME systems, press
   CTRL+ALT+DELETE
   On Windows NT/2000/XP systems, press
   CTRL+SHIFT+ESC, and click the Processes tab.
2. In the list of running programs*, locate the process:
   WINUPD
   WINUPD.EXE
3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. To check if the malware process has been terminated, close Task Manager, and then open it again.
5. Close Task Manager.

3. Removing Autostart Entries from the Registry

1. Click the My Computer Icon on the desktop.
2. Go to the %Windows% folder and right-click on the file REGEDIT.EXE
   Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT)
3. Choose the rename option and change the file name to REGEDIT.COM. Double-click this file.
4. In the left panel, double-click the following:
   HKEY_CURRENT_USER>Software>Microsoft>Windows>
   CurrentVersion>Run
5. In the right panel, locate and delete the entry:
   winupd.exe = %System%\winupd.exe
   Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.

4. Removing Other Entries from the Registry

1. Still in the Registry Editor, in the left panel, locate and delete the following registry key:
   HKEY_CURRENT_USER>winupd
2. Close Registry Editor.
3. Click Start>Run, then type:
   command /c ren %Windows%\regedit.com %Windows%\regedit.exe

5. Deleting the Malware Dropped Files

This procedure deletes the malware dropped files during its installation (after you have restarted your system).

1. Right-click Start then click Search. or Find. depending on your version of Windows.
2. In the Named input box, type:
   WINUPD.EXE
   WINUPD.EXEOPEN
   WINUPD.EXEOPENOPEN
3. In the Look In drop-down list, select the drive which contains Windows, then press Enter.
4. Once located, select the file then hit Delete.

6. Updating the virus definitions

If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
2. Run a full system scan.
3. If any files are detected as infected with Beagle.N, click Delete.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Variants: