W32.Beagle.CG@mm

[TJ]

W32.Beagle.CG@mm is a mass-mailing worm that uses its own SMTP engine to send out copies of Trojan.Tooso.N. The worm also opens a back door on the compromised computer on TCP port 80 and lowers security settings.


When W32.Beagle.CG@mm is executed, it performs the following actions:

   1. Copies itself as the following file:

      %System%\windll2.exe

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   2. Adds the value:

      "erthegdr" = "%System%\windll2.exe"

      to the registry subkeys:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n

      so that it runs every time Windows starts.

   3. Creates the following mutexes, which may prevent variants of W32.Netsky from executing:

          * MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
          * 'D'r'o'p'p'e'd'S'k'y'N'e't'
          * _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
          * [SkyNet.cz]SystemsMutex
          * AdmSkynetJklS003
          * ____--->>>>U<<<<--____
          * _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

   4. Deletes the following registry subkeys, some of which are security-related:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"My AV"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"Zone Labs Client Ex"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"9XHtProtect"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"Antivirus"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"Special Firewall Service"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"service"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"Tiny AV"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"ICQNet"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"HtProtect"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"NetDy"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"Jammer2nd"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"FirewallSvr"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"MsInfo"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"SysMonXP"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"EasyAV"     
      KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"PandaAVEngine"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"Norton Antivirus AV"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"KasperskyAVEng"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"SkynetsRevenge"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\"ICQ Net"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"My AV"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"Zone Labs Client Ex"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"9XHtProtect"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"Antivirus"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"Special Firewall Service"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"service"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"Tiny AV"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"ICQNet"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"HtProtect"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"NetDy"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"Jammer2nd"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"FirewallSvr"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"MsInfo"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"SysMonXP"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"EasyAV"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"PandaAVEngine"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"Norton Antivirus AV"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"KasperskyAVEng"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"SkynetsRevenge"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"ICQ Net"

   5. Attempts to delete the following registry entries and exit, if the date is later than September 23, 2009:

      HKEY_CURRENT_USER\Software\ewrt
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n\"erthegdr"

   6. Opens a back door on TCP port 80, which may allow the compromised computer to act as a proxy server.

   7. Attempts to access the following Web sites and download the file %Windir%\eml.exe:

          * [http://]localhost/[REMOVED]/sss.php
          * [http://]localhost/[REMOVED]/script2.php
          * [http://]localhost/[REMOVED]/script3.php
          * [http://]clickhare.com/[REMOVED]/web.php
          * [http://]amerikansk-bulldog.dk/[REMOVED]/web.php
          * [http://]eventpeopleforyou.com/[REMOVED]/web.php
          * [http://]fyeye.com/[REMOVED]/web.php
          * [http://]ligapichangueras.cl/[REMOVED]/web.php
          * [http://]ekshrine.com/[REMOVED]/web.php
          * [http://]directeenhuis.nl/[REMOVED]/web.php
          * [http://]creacionesartisticasandaluzas.com/[REMOVED]/web.php

            Note: At the time of writing this file did not exist but it is reported to contain various characteristics for generating emails.

   8. Attempts to email a copy of Trojan.Tooso.N to the email addresses that may be contained in the downloaded file.

      The email has the following characteristics:

      From: Spoofed
      Subject: Blank
      Message:
      One of the following:

          * The password is
          * Password:
          * price
          * new price

            Attachment:
            One of the following:

          * price.zip
          * price2.zip
          * price_new.zip
          * price_09.zip
          * 09_price.zip
          * newprice.zip
          * new_price.zip
          * new__price.zip

            Note: The .zip file may contain an executable file, which may be a copy of Trojan.Tooso.N.

   9. Avoids send itself to addresses containing the following strings:

          * @eerswqe
          * @derewrdgrs
          * @microsoft
          * rating@
          * f-secur
          * news
          * update
          * anyone@
          * bugs@
          * contract@
          * feste
          * gold-certs@
          * help@
          * info@
          * nobody@
          * noone@
          * kasp
          * admin
          * icrosoft
          * support
          * ntivi
          * unix
          * bsd
          * linux
          * listserv
          * certific
          * sopho
          * @foo
          * @iana
          * free-av
          * @messagelab
          * winzip
          * google
          * winrar
          * samples
          * abuse
          * panda
          * cafee
          * spam
          * pgp
          * @avp.
          * noreply
          * local
          * root@
          * postmaster@


REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.cg@mm.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to and delete the subkeys:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n

   5. Exit the Registry Editor.