Description
Win32.HLLM.Beagle.15872 is a rather fast-spreading mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems.
The worm is written in high-level programming language and is packed with . The packed size of the program module of the worm is 15, 872 bytes.
The worm mass propagates via e-mail sending its malicious copies to to all the addresses retrieved from files with .txt., .htm, .html and .wab extensions.
The worm is executed by a user of the affected computer himself.
The worm hides its viral nature under the icon of calculator – the legitimate application of Windows.
When in a system, the worm listens on port 6777 and waits for instructions form a remote user. Besides, it tries to establish connection with several web sites the list of which is kept in the worm’s code.
Launching
To secure its automatic execution at every Windows startup the worm adds the value
\"d3update.exe\" = \"%SysDir%\\BBEAGLE.EXE\"
to the registry entry
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
and creates two more registry keys:
\"frun\"
\"uid\"
Spreading
The worm disseminates via e-mail using its own SMTP engine. It harvests addresses for propagation from local Microsoft Windows address book and files with.txt, .htm and .html extensions. The files containing the following strings are excluded from the search:
Subject: Hi
Message body:
Test =) [sequence of random characters] Test, yep.The attachment name varies but always has the .EXE extension
Attachment size: 15, 872 bytes
Action
Being executed, the worm checks the current system date. If the system date exceeds January 28 it immediately terminates. If the system date is prior to January 28, the worm launches calc.exe - a standard Windows application and drops to the Windows\\System folder (in Windows 9x/ME it’s C:\\Windows\\System, in Windows NT/2000 it’s C:\\WINNT\\System32, in Windows XP it’s C:\\Windows\\System32) its copy BBEAGLE.EXE .
When in a system, the worm listens on port 6777 and waits for instructions form a remote user. Besides, it tries to establish connection with several web sites the list of which is kept in the worm’s code.
http://www.elrasshop.de/1.php http://www.it-msc.de/1.php http://www.getyourfree.net/1.php http://www.dmdesign.de/1.php http://64.176.228.13/1.php http://www.leonzernitsky.com/1.php http://216.98.136.248/1.php http://216.98.134.247/1.php http://www.cdromca.com/1.php http://www.kunst-in-templin.de/1.php http://vipweb.ru/1.php http://antol-co.ru/1.php http://www.bags-dostavka.mags.ru/1.php http://www.5x12.ru/1.php http://bose-audio.net/1.php http://www.sttngdata.de/1.php http://wh9.tu-dresden.de/1.php http://www.micronuke.net/1.php http://www.stadthagen.org/1.php http://www.beasty-cars.de/1.php http://www.polohexe.de/1.php http://www.bino88.de/1.php http://www.grefrathpaenz.de/1.php http://www.bhamidy.de/1.php http://www.mystic-vws.de/1.php http://www.auto-hobby-essen.de/1.php http://www.polozicke.de/1.php http://www.twr-music.de/1.php http://www.sc-erbendorf.de/1.php http://www.montania.de/1.php http://www.medi-martin.de/1.php http://vvcgn.de/1.php http://www.ballonfoto.com/1.php http://www.marder-gmbh.de/1.php http://www.dvd-filme.com/1.php http://www.smeangol.com/1.php
