What is the Beagle.O worm?

Beagle.O is a polymorphic mass-mailing worm that uses its own SMTP engine to spread through email. The worm opens a backdoor on TCP port 2556 and attempts to spread through file-sharing networks by copying itself to the folders that contain "shar" in their names. Beagle.O also infects the files with the .exe file extension.

Also known as: W32.Bagle.Q, Bagle.Q, W32/Bagle.Q, W32/Bagle-Q, PE_Bagle.Q, W32.Beagle.Q@mm

When Beagle.O is executed, it performs the following actions:

1. If the system clock's year is 2006 or later, the worm will do the following:
   
   1. Deletes the key:
      
      HKEY_CURRENT_USER\SOFTWARE\windirects
      
      
   2. Deletes the value:
      
      "directs.exe"="%System%\directs.exe"
      
      from the registry key:
      
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      
      if the value is present, so that Beagle.O does not restart when you start Windows.
      
      
   3. Quits all the Beagle.O functions.
      
      
2. Creates the following files:
   
   • %System%\directs.exe
   • %System%\directs.exeopen
     
     
3. Adds the value:
   
   "directs.exe"="%System%\directs.exe"
   
   to the registry key:
   
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   so that Beagle.O runs when you start Windows.
   
   
4. Adds the key:
   
   HKEY_CURRENT_USER\SOFTWARE\windirects
   
   to keep track of the infection progress.
   
   
5. Terminates the following processes, which include antivirus software, processes associated with other worms, and system utilities such as regedit.exe and netstat.exe:
   
   • AGENTSVR.EXE
   • ANTI-TROJAN.EXE
   • ANTIVIRUS.EXE
   • ANTS.EXE
   • APIMONITOR.EXE
   • APLICA32.EXE
   • APVXDWIN.EXE
   • ATCON.EXE
   • ATGUARD.EXE
   • ATRO55EN.EXE
   • ATUPDATER.EXE
   • ATWATCH.EXE
   • AUPDATE.EXE
   • ......
     
     
6. Deletes the following values:
   
   • 9XHtProtect
   • Antivirus
   • HtProtect
   • ICQ Net
   • ICQNet
   • My AV
   • NetDy
   • Special Firewall Service
   • Tiny AV
   • Zone Labs Client Ex
   • service
     
     from the registry keys:
     
   • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
     \Run
   • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
     \Run
     
     
7. Opens a backdoor on TCP port 2556.
   
   If an attacker sends a specially formatted data message to the port, the worm will allow an arbitrary file to be downloaded to the %Windir% folder. This file will be saved as %Windir%\iuplda<x>.exe, where <x> is a random string of characters.
   
   
8. Attempts to spread across file-sharing networks, such as Kazaa and iMesh, by copying itself into folders that contain the string, "shar," in their names.
   
   The worm uses the following file names:
   
   • ACDSee 9.exe
   • Adobe Photoshop 9 full.exe
   • Ahead Nero 7.exe
   • Matrix 3 Revolution English Subtitles.exe
   • Microsoft Office 2003 Crack, Working!.exe
   • Microsoft Office XP working Crack, Keygen.exe
   • Microsoft Windows XP, WinXP Crack, working Keygen.exe
   • Opera 8 New!.exe
   • Porno Screensaver.scr
   • Porno pics arhive, xxx.exe
   • Porno, sex, oral, anal cool, awesome!!.exe
   • Serials.txt.exe
   • WinAmp 5 Pro Keygen Crack Update.exe
   • WinAmp 6 New!.exe
   • Windown Longhorn Beta Leak.exe
   • Windows Sourcecode update.doc.exe
   • XXX hardcore images.exe
     
     
9. Searches the local fixed drives and attempts to infect the .exe files. The infection routine is polymorphic and appends the worm to the file.
   
   
10. Searches the local fixed drives for the files with the following extensions, and collects email addresses from them:
    
    • .adb
    • .asp
    • .cfg
    • .cgi
    • .dbx
    • .dhtm
    • .eml
    • .htm
    • .jsp
    • .mbx
    • .mdx
    • .mht
    • ......
      
      
11. Uses its own SMTP engine to send itself to the email addresses that it collected. The worm contains its own MIME-encoding routine and will compose the email in memory.
    
    

  13. The worm will not send email messages to addresses containing any of the following strings:

• @avp.
• @foo
• @hotmail.com
• @iana
• @messagelab
• @microsoft
• @msn
• abuse
• admin
• ......

How to Remove the Beagle.O Worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects Beagle.O during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the Beagle.O worm.

1. Disabling System Restore (Windows Me/XP)

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: "How to disable or enable Windows Me/XP System Restore".

2. Reversing the changes made to the registry

• Click Start, and then click Run. (The Run dialog box appears.)
• Type regedit
  
  Then click OK. (The Registry Editor opens.)
  
  
• Navigate to the key:
  
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  
  
• In the right pane, delete the value:
  
  "directs.exe"="%System%\directs.exe"
  
  
• Delete the key:
  
  HKEY_CURRENT_USER\SOFTWARE\windirects
  
  
• Exit the Registry Editor.
  
  
• Restart the computer in Normal mode.

3. Updating the virus definitions

If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
2. Run a full system scan.
3. If any files are detected as infected with Beagle.O, click Delete.

5. Obtaining the Microsoft HotFix to correct the Microsoft Internet Explorer Object Tag vulnerability

Beagle.O is a worm that exploits the Microsoft Internet Explorer Object Tag vulnerability. To fix this, it is important to obtain the patch as described in Microsoft Security Bulletin MS03-040.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Variants: