What
is the Beagle.T worm?
Beagle.T is a variant of Beagle.O.
This worm attempts to send an HTML email to
addresses found in files on an infected computer.
The email does not contain an attachment of the
worm. Instead, the HTML email uses the Microsoft
Internet Explorer Object Tag Vulnerability
that allows for the automatic download and
execution of a file hosted on a remote Web site.
This file is a copy of the worm, but may change
in the future.
The worm also opens a backdoor, starts a Web
server on TCP port 81 to serve the worm, and
attempts to spread through file-sharing networks
by copying itself to the folders with "shar"
in their names. The worm is also a file infector
that appends itself to the .exe files found in
the c:\emails folder on the computer.
Also known as: W32/Bagle.t@MM, PE_BAGLE.T,
W32/Bagle-T, Win32.Bagle.T
When Beagle.T is executed, it performs the
following actions:
- If the system clock's year is 2006 or later,
the worm will do the following:
- Deletes the keys:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
if the value is present, so that
W32.Beagle.T@mm does not restart when
you start Windows.
- Quits all Beagle.T functions.
- Adds the value:
"directs.exe"="%System%\directs.exe"
to the registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
- Creates the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
- Creates the following files:
- %System%\directs.exe (a copy of the
worm)
- %System%\directs.exeopen (a copy of the
worm with some random data appended)
- Terminates the following processes, which
include antivirus software, processes
associated with other worms, and system
utilities:
- AGENTSVR.EXE
- ANTI-TROJAN.EXE
- ANTI-TROJAN.EXE
- ANTIVIRUS.EXE
- ANTS.EXE
- APIMONITOR.EXE
- APLICA32.EXE
- APVXDWIN.EXE
- ......
- Attempts to delete the following values:
- 9XHtProtect
- Antivirus
- HtProtect
- ICQ Net
- ICQNet
- NetDy
- service
- Special Firewall Service
- Tiny AV
- Zone Labs Client Ex
from the registry keys:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Attempts to spread across file-sharing
networks, such as KaZaA and iMesh, by copying
itself into folders that contain the string
"shar" in their names. The worm uses
the following file names:
- ACDSee 9.exe
- Adobe Photoshop 9 full.exe
- Ahead Nero 7.exe
- Matrix 3 Revolution English
Subtitles.exe
- Microsoft Office 2003 Crack,
Working!.exe
- Microsoft Office XP working Crack,
Keygen.exe
- Microsoft Windows XP, WinXP Crack,
working Keygen.exe
- Opera 8 New!.exe
- Porno pics arhive, xxx.exe
- Porno Screensaver.scr
- Porno, sex, oral, anal cool,
awesome!!.exe
- Serials.txt.exe
- WinAmp 5 Pro Keygen Crack Update.exe
- WinAmp 6 New!.exe
- Windown Longhorn Beta Leak.exe
- Windows Sourcecode update.doc.exe
- XXX hardcore images.exe
- Attempts to infect the .exe files on a
computer. The infection routine is polymorphic
and appends the worm to the file.
- Searches for the email addresses in the
files with the following extensions:
- .adb
- .asp
- .cfg
- .cgi
- .dbx
- .dhtm
- .eml
- .htm
- .jsp
- .mbx
- .mdx
- .mht
- .mmf
- .msg
- .nch
- .ods
- .oft
- .php
- .pl
- .sht
- .shtm
- .stm
- .tbb
- .txt
- .uin
- .wab
- .wsh
- .xls
- .xml
- Opens a backdoor on TCP port 2556.
If an attacker sends a specially formatted
data message to the port, the worm will allow
an arbitrary file to be downloaded to the %Windir%
folder. This file will be saved as %Windir%\iuplda<x>.exe,
where <x> is a random string of
characters.
- Uses its own SMTP engine to send itself to
the email addresses it collected. The worm
contains its own MIME-encoding routine and
will compose the email in memory.
- Starts a Web server on TCP port 81. When a
particular GET request is received, the worm
replies with a .hta Web page containing
Microsoft VBScript. The .hta file requests an
executable file, which may be named sm.exe or
q.exe, and then downloads and executes it.
- The worm will not send email messages to the
addresses containing any of the following
strings:
- @avp.
- @foo
- @hotmail
- @iana
- @messagelab
- @microsoft
- @msn
- abuse
- admin
- anyone@
- ......
How to Remove the Beagle.T Worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Beagle.T during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
Follow these steps in removing the Beagle.T
worm.
1. Disabling System Restore (Windows Me/XP)
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: "How
to disable or enable Windows Me/XP System Restore".
2. Reversing the changes made to the registry
- Click Start, and then click Run. (The Run
dialog box appears.)
- Type regedit
Then click OK. (The Registry Editor opens.)
- Navigate to the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
- Delete the key: Ru1n
- Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- Delete the key: Ru1n
- Exit the Registry Editor.
- Restart the computer in Normal mode.
3. Updating the virus definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
4. Run a full system scan and delete all the
files detected as Beagle.T.
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with
Beagle.T, click Delete.
5. Obtaining the Microsoft HotFix to correct
the Microsoft Internet Explorer Object Tag
vulnerability
Beagle.T is a worm that exploits the Microsoft
Internet Explorer Object Tag vulnerability. To
fix this, it is important to obtain the patch as
described in Microsoft
Security Bulletin MS03-040.
Detect and Removal Instruction for Other
Variants:
| 
