Virus Alert: W32.Beagle.AG@mm

W32.Beagle.AG@mm is a type of "mail bomb" that uses its own SMTP engine to infect via e-mail, and opens a "back door" component at the TCP / 1080 port for attackers to connect. Unauthorized computer to victim.

Infectious infection: Windows 2000, Windows 98, Windows Me, Windows NT, Windows XP

Release Date: 19/7/2004

Describe:

When implemented, W32.Beagle.AG@m will perform the following tasks:

1. Delete any value containing the following strings:
   
   9XHtProtect
   Antivirus
   EasyAV
   FirewallSvr
   HtProtect
   ICQ Net
   ICQNet
   Jammer2nd
   KasperskyAVEng
   MsInfo
   My AV
   NetDy
   Norton Antivirus AV
   PandaAVEngine
   service
   SkynetsRevenge
   Special Firewall Service
   SysMonXP
   Tiny AV
   Zone Labs Client Ex
   
   ... from the key:
   
   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
   HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun

2. Generate the following files:
   
   % System% winxp.exe
   % System% winxp.exeopen
   % System% winxp.exeopenopen
   % System% winxp.exeopenopenopen
   % System% winxp.exeopenopenopenopen
   
   Attention: % System% is a variable and the virus can determine the location of the system directory and replicate itself. By default, the location of the system directory is: & nbsp; C: WindowsSystem (Windows 95/98 / Me), C: WinntSystem32 (Windows NT / 2000), or C: WindowsSystem32 (Windows XP).

3. Drop file winxp.exeopenopen into the system directory:% System% winxp.exeopenopen (can be zip or cpl file).
   & nbsp;

   • If the file is in .zip format, it will contain two files with random names. One file is an .exe file and the other is a text file with the extension .sys, .dat, .idx, .vxd, .vid, or .dll.

   • If the file is in .cpl format, the executable will drop a file named cjector.exe into the% Windir% folder.
     
     Attention: % Windir% is a variable and can deeply identify the Windows installation directory and replicate itself to that directory, by default: C: Windows or C: Winnt.

4. Additional Value:
   
   "key" = "% System% winxp.exe"
   
   ... and the following registry key can be automatically run at system startup:
   
   HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

5. Open the back port at TCP / 1080.

6. Connect to the .php scripts at a number of predefined domains (the list is listed at the end of the article).

7. Terminate some of the process (the list is listed at the end of the article).

8. If the following system date: 5/5/2006, the worm will exit the memory and delete the worm-related values ​​and keys:
   
   HKEY_CURRENT_USERSOFTWAREbase_path

9. Try creating copies of worms in any directory that contains the "shar" character. These virus files are as follows: & nbsp;
   & nbsp;

   • ACDSee 9.exe

   • Adobe Photoshop 9 full.exe

   • Ahead Nero 7.exe

   • Kaspersky Antivirus 5.0

   • KAV 5.0

   • Matrix 3 Revolution English Subtitles.exe

   • Microsoft Office 2003 Crack, Working! .exe

   • Microsoft Office XP working Crack, Keygen.exe

   • Microsoft Windows XP, WinXP Crack, working Keygen.exe

   • Opera 8 New! .exe

   • Porno pics arhive, xxx.exe

   • Porno Screensaver.scr

   • Porn, sex, blowjob, anal cool, awesome !!

   • Serials.txt.exe

   • WinAmp 5 Pro Keygen Crack Update.exe

   • WinAmp 6 New! .exe

   • Windown Longhorn Beta Leak.exe

   • Windows sourcecode update.doc.exe

   • XXX hardcore images.exe

10. Search for e-mail addresses in files with the following extensions:
    & nbsp;

    • .adb

    • .asp

    • .cfg

    • .cgi

    • .dbx

    • .dhtm

    • .eml

    • .htm

    • .jsp

    • .mbx

    • .mdx

    • .mht

    • .mf

    • .msg

    • .nch

    • .ods

    • .oft

    • .php

    • .pl

    • .sht

    • .shtm

    • .stm

    • .bb

    • .txt

    • .in

    • .wab

    • .wsh

    • .xls

    • .xml

11. Use your own SMTP engine to send mail to any e-mail address you find. E-mail viruses can carry the following characteristics:
    
    From: <giả danh="">
    
    Subject:
    
    Message:
    & nbsp;

    • foto3 và MP3

    • fotogalary and Music

    • fotoinfo

    • Lovely animals

    • Animals

    • Predators

    • The snake

    • Screen and Music
      
      Attachments: (one of the following)

    • Cat

    • Cool_MP3

    • Dog

    • Doll

    • fish

    • Garry

    • MP3

    • Music_MP3

    • New_MP3_Player
      
      
      Attachment extension:
      & nbsp;

    • .exe

    • .cr

    • .com

    • .cpl

    • .zip (this will be password protected)

Domain

W32.Beagle.AG@mm will attempt to connect to the following domains:

• abtacha.wirebrain.de

• begros.de

• deepiceman.de

• dfk-crew.clanintern.de

• die-cliquee.de

• edwinf.surfplanet.de

• knecht.cs.uni-magdeburg.de

• login.rz.fh-augsburg.de

• niematec.de

• obechmann.de

• pe-data.de

• people-ftp.freenet.de

• people-ftp.freenet.de

• people-ftp.freenet.de

• ronnyackermann.de

• sgi1.rz.rwth-aachen.de

• symbit.de

• tripod.de

• web154.essen082.server4free.de

• web216.berlin240.server4free.de

• www.aachen.de

• www.abacho.de

• www.anwaltverein.de

• www.aquarius.geomar.de

• www.astronomie.de

• www.atlantis-show.de

• www.atlas-hannover.de

• www.awi-bremerhaven.de

• www.baden-wuerttemberg.de

• www.bayerninfo.de

• www.beck.de

• www.berlinonline.de

• www.bessy.de

• www.bitburger.de

• www.blk-bonn.de/

• www.bmgs.bund.de

• www.brigitte.de

• www.bundesliga.de

• www.calistyler.de

• www.citypopulation.de

• www.dar-fantasy.de

• www.dasding.de

• www.degruyter.de

• www.destatis.de

Process

W32.Beagle.AG@mm will attempt to terminate the following processes:

• AGENTSVR.EXE

• ANTI-TROJAN.EXE

• ANTI-TROJAN.EXE

• ANTIVIRUS.EXE

• ANTS.EXE

• APIMONITOR.EXE

• APLICA32.EXE

• APVXDWIN.EXE

• CLEAN.EXE

• CLEAN.EXE

• CLEANER.EXE

• CLEANER.EXE

• CLEANER3.EXE

• CLEANPC.EXE

• CLEANPC.EXE

• CMGRDIAN.EXE

• CMGRDIAN.EXE

• CMON016.EXE

• CMON016.EXE

• CPD.EXE

• DRWATSON.EXE

• DRWEBUPW.EXE

• ENT.EXE

• ESCANH95.EXE

• ESCANHNT.EXE

• ESCANV95.EXE

• MSSMMC32.EXE

• MU0311AD.EXE

• NAV80TRY.EXE

• NAVAPW32.EXE

• NAVDX.EXE

• NAVSTUB.EXE

• NAVW32.EXE

• NC2000.EXE

• NCINST4.EXE

• NDD32.EXE

• NEOMONITOR.EXE

• NETARMOR.EXE

• NETINFO.EXE

• NETMON.EXE

• NETSCANPRO.EXE

• POPROXY.EXE

• POPSCAN.EXE

• PORTDETECTIVE.EXE

• PPINUPDT.EXE

• PPTBC.EXE

• PPVSTOP.EXE

• PROCEXPLORERV1.0.EXE

• PROPORT.EXE

• PROTECTX.EXE

• SUPPORTER5.EXE

• SYMPROXYSVC.EXE

• SYSEDIT.EXE

• TASKMON.EXE

• TAUMON.EXE

• TAUSCAN.EXE

• TC.EXE

• TCA.EXE

• TCM.EXE

• TDS2-98.EXE

• TDS2-NT.EXE

• TDS-3.EXE

• TFAK5.EXE

• TGBOB.EXE

• TITANIN.EXE

• TITANINXP.EXE

• TRACERT.EXE

• TRJSCAN.EXE

• TRJSETUP.EXE

• TROJANTRAP3.EXE

• UNDOBOOT.EXE

• UPDATE.EXE

• VSWINNTSE.EXE

• VSWINPERSE.EXE

• W32DSM89.EXE

• W9X.EXE

• WATCHDOG.EXE

• WEBSCANX.EXE

• WGFE95.EXE

• WHOSWATCHINGME.EXE

• WHOSWATCHINGME.EXE

• WINRECON.EXE

• WNT.EXE

• WRADMIN.EXE

• WRCTRL.EXE

• WSBGATE.EXE

• WYVERNWORKSFIREWALL.EXE

• XPF202EN.EXE

• ZAPRO.EXE

• ZAPSETUP3001.EXE

• ZATUTOR.EXE

• ZAUINST.EXE

• ZONALM2601.EXE

• ZONEALARM.EXE

You can download the antivirus tool W32.Beagle.AG@mm here
& nbsp;