Worm W32.Beagle.DW@mm and variants
Original issue date: March 22, 2006
Updated: March 28,2006
It has been observed that several variants of Beagle worm reported earlier are spreading in the wild. Some of the variants are WORM_BAGLE.DQ (aliases W32.Beagle.DW@mm, W32/Bagle.gen, W32/Sality.M, Win32/Bagle.DZ ), WORM_BAGLE.DF(aliases W32.Beagle.DW@mm, W32/Bagle.gen, W32/Sality.M, Win32/Bagle.DZ ), WORM_BAGLE.EV( aliases W32.Beagle.DR@mm, W32/Bagle.ED@mm, W32/Bagle.gen, Win32/Bagle.DV ), WORM_BAGLE.EN(aliases W32.Beagle.AA@mm, W32/Bagle, W32/Bagle.EC@mm, Win32/Bagle.AN ), WORM_BAGLE.EF(aliases W32.Beagle.DN@mm, W32/Bagle.DY@mm, W32/Bagle.gen, Win32/Bagle.DT ), WORM_BAGLE.CL(aliases Bloodhound.Beagle, W32/Bagle, W32/Bagle.DW@mm, Win32/Bagle.Variant!Worm, Win32/Kipis!generic) , WORM_BAGLE.EW (aliases Trojan.Lodear, W32/Bagle.EG@mm, W32/Bagle.dldr, Win32/Bagle ).
These are mass mailing worms which also propagate via peer-to-peer networks by dropping their copies in folders whose names contain the string SHAR . These worms scan the compromised machine for the email addresses and send their copies those email addresses using their own SMTP engine. These worms avoid sending emails to email addresses which contains certain strings.
The copies of these worms are named after popular application and actresses to entice user to download the file. Some of the variants display fake error message upon execution to trick user. These worms terminate antivirus and security related processes. These worms look for the active internet connection and access several websites and download malicious files.
Activities of these Beagle variants after execution
- Some of the variants display the message:
Can't find a viewer associated with the file.
to trick users into thinking that the program failed to execute.
- Drops the following files in the system folder
lmovie.exe
lmovie.exeopen
lmovie.exeopenopen
WIN32LIB.EXE
WINDLL32LIB.EXE
windll32lib.exeopen
windll32lib.exeopenopen
lsamgr.exe
lsamgr.exeopen
lsamgr.exeopenopen
WINDSPL.EXE
WINDSPL.EXEOPEN
WINDSPL.EXEOPENOPEN
WINDSPL.EXEOPENOPENOPENOPEN
sysformat.exe
sysformat.exeopen
sysformat.exeopenopen
sysformat.exeopenopenopenopen
REGMAPING.EXE
REGMAPING.EXEOPEN
REGMAPING.EXEOPENOPEN
- Drops files such as vcualts32.exe, VCREMOVAL.DLL , Wimanager.exe , REGISP32.EXE , WINRESW.EXE in the windows folder. Some of these files are detected as Trojans like TROJ_DLOADER.BOI .
- creates registry entry to enable their automatic execution
at every
system startup such as: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"MovieM" = "%System%\lmovie.exe"
- create registry entry to add itself to the Windows firewall exception list such as: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
\AuthorizedApplications\List
{Malware path and file name} = "{Malware path and file name}:*:ipsec"
- Some variants like WORM_BAGLE.CL modifies registry entry to disable the Internet Connection Sharing (ICS) and Firewall services of Windows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess
Start = "dword:00000004"
Note: default value is Start = "dword:00000003"
- Some variants like WORM_BAGLE.CL modifies the HOST file on Windows system to prevent access to antivirus and security related websites such as
ca.com
f-secure.com
mcafee.com
msdn.microsoft.com
networkassociates.com
sophos.com
symantec.com
- Attempts to delete the registry values associated with antivirus and security application from the registry subkeys such as:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Note : Some variants delete registry values associated to NETSKY worm.
-
Gathers email addresses from files with the extensions like .wab, .txt , .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx,. mdx, .eml, .nch, .mmf, .ods etc.
- Uses its own SMTP engine to send email messages to any addresses found.
- The email message constructed by the worm contains the attachment such as:
• love_me.exe
• mplay.exe
• love_me_now.exe
• documents.exe
• explanation.exe
• lawsuit.exe
• Myscreenshot.exe
• Proof.exe
• Scam.exe
• whois_info.exe
• your_info.exe
• Generated_bill.exe
• Order_details.exe
• Service_receipt.exe
(any of the following, with .EXE, .COM, or .SCR as extension name)
• Common
• Details
• fu{BLOCKED}_her
• Info
• Message
• MoreInfo
• www.cu{BLOCKED}nherface
• XXX_livebabes
• XXX_P{BLOCKED}noUpdates
• xxxP{BLOCKED}no
(any of the following with .ZIP as extension name)
• 21_price
• February_price
• guupd02
• Jol03
• new_price
• price
• pricelist
• siupd02
• upd02
• viupd02
• wsd01
• zupd02
The email message constructed by the worm contains the subject such as:
1. Come Be With Me, my Love!
2. Love you with all my heart!
3. My dream is coming true!
4. See you tonight!
5. Will You Be My Valentine?
6. Call to your lawer immidiately
7. Lawsuit against you
8. Pay your debts before we come to you
9. We wait your response
10. Phshing is illegal
11. Where did you learn to scam?
12. You are a criminal and will be busted!
13. You steal from innocent people
14. FREE OLYMPIC TICKETS LOTTERY!
15. 2006 Winter Games in Torino
16. 2006 Torino Winter Games FREE Tickets
17. Billing department,
18. order {random number}
19. Order Reminder: ID {random number}
20. Your receipt {random number}
21.Delivery by mail
22. Delivery service mail
23. Is delivered mail
24. Price
25. Registration is accepted
26. You are made active
27. Gwd: Changes..
28. Gwd: crypted document
29. Gwd: Document
30. Gwd: Fax Message
31. Gwd: Forum notify
32. Gwd: Hello :-)
33. Gwd: Hi
34. Gwd: Incoming message
35.Gwd: Incoming Message
36.Gwd: Incoming Msg
37. Gwd: Message Notify
38.Gwd: Msg reply
39.Gwd: Notification
40.Gwd: Protected message
41. Gwd: Protected message
42. Gwd: Site changes
43.Gwd: Text message
44. Gwd: Thank you!
45.Gwd: Thanks :)
46.Gwd: Update
47.Gwd: Yahoo!!!
-
Attempts to copy itself to all folders containing the string SHAR by creating the files such as :
• anna benson sex video.exe
• kate beckinsale nude pictures.exe
-
Some of the variants creates the following mutex to aid in its mass mailing and downloading routines:
bagla_super_downloader_1000
smtp_bagla_1000
Note: Some variants creates mutex to prevent NETSKY worm from executing on the affected system such as:
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
vMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
[SkyNet.cz]SystemsMutex
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
AdmSkynetJklS003
'D'r'o'p'p'e'd'S'k'y'N'e't'
vMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
-
Some variants terminates processes like LSAMGR.EXE
- Attempts to download an updated copy of itself from the following URLs:
• [http://]dook.zoo.by/darko/zor.php
• [http://]debut.zoo.com/darko/50webs.%20./
• [http://]bit.korzo.com/d%20/?id_valentine
• [http://]ijj.t1035.com/?counter
• [http://]200.81.16.147/.%20/pr\
Note: It also tries to access various sites such as: http://www.ama{BLOCKED}.ru/zo2.jpg,
http://www.ant{BLOCKED}yflanagan.com/zo2.jpg
which has been reportedly blocked. Some worms when successfully connected to the URL tries to download and execute files with the name {Random numbers}.EXE in Windows folder and sometimes download other malware .
In view of rapid propagation and high damage potential of these Beagle variants, users are advised to implement following countermeasures:
- Install and maintain a updated anti-virus software at gateway and desktop level
- Filter emails with abovementioned subject lines and attachments at the gateway
- Block URLs listed above which are being accessed by these worms
- Keep up-to-date on patches and fixes on the operating system and application software
- Exercise caution while opening email attachments
For further details and refer following URLs:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM%5FBAGLE%2EEF
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM%5FBAGLE%2ECL&VSect=P http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM%5FBAGLE%2EDF&VSect=P http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM%5FBAGLE%2EDQ&VSect=P
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM%5FBAGLE%2EEN&VSect=P http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM%5FBAGLE%2EEV&VSect=P http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM%5FBAGLE%2EEW&VSect=P
http://www.symantec.com/avcenter/venc/data/bloodhound.beagle.html
http://www.symantec.com/avcenter/venc/data/w32.beagle.dw@mm.html http://www.symantec.com/avcenter/venc/data/w32.beagle.dr@mm.html http://vil.mcafeesecurity.com/vil/content/v_101164.htm http://www.sophos.com/virusinfo/analyses/w32baglegen.html http://www.precisesecurity.com/computer-virus/avbdn-feb006.htm http://www.frsirt.com/english/virus/2006/01440 http://www.frsirt.com/english/virus/2006/01535 http://www.frsirt.com/english/virus/2006/01886 http://www.fortinet.com/VirusEncyclopedia/search
/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=124189
http://www.cert-in.org.in/virus/bagle-bj.htm
http://www.f-secure.com/v-descs/bagle_ge.shtml#summary
Removal tools:
http://www.microsoft.com/security/malwareremove/default.mspx http://vil.nai.com/vil/stinger/ http://www.symantec.com/avcenter/venc/data/w32.beagle
@mm.removal.tool.html
CME ID
CME-328
Revisions:
March 28, 2006: Additional information regarding Bagle.GE, references.
Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in
Phone: +91 11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
