W32.Beagle.X@mm is a mass-mailing worm that attempts to spread using mail and file-sharing networks. The worm also opens a backdoor on an infected computer. The threat is packed using UPX, and it appends random data to the end of itself, so it does not have a static MD5 value. When the worm runs, it displays a message box with the following text: Can't find a viewer associated with the file. When W32.Beagle.X@mm is executed, it performs the following actions: 1. Displays this message: Can't find a viewer associated with the file. 2. Creates the seven mutexes with the following names, which prevent some variants of W32.Netsky@mm from running: * MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D * 'D'r'o'p'p'e'd'S'k'y'N'e't' * _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_ * [SkyNet.cz]SystemsMutex * AdmSkynetJklS003 * ____--->>>>U<<<<--____ * _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_ 3. Deletes the any values that contain the following strings: * "My AV" * "Zone Labs Client Ex" * "9XHtProtect" * "Antivirus" * "Special Firewall Service" * "service" * "Tiny AV" * "ICQNet" * "HtProtect" * "NetDy" * "Jammer2nd" * "FirewallSvr" * "MsInfo" * "SysMonXP" * "EasyAV" * "PandaAVEngine" * "Norton Antivirus AV" * "KasperskyAVEng" * "SkynetsRevenge" * "ICQ Net" from the registry keys: * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run * HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4. Copies itself as %System%\Drvddll.exe. Note: %System% is a variable. The Worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). 5. Drops the file, %System%\Drvddll.exeopen, which is a copy of the worm with random appended data. 6. Drops the file, %System%\Drvddll.exeopenopen. This file will be a .zip file, .vbs file, .cpl file, .hta file, or the worm itself. One of the following actions will occur, depending on the file type: * If the file is a .zip file, it will contain two randomly named files. One will be an .exe file and the other will be a text file with a .sys, .dat, .idx, .vxd, .vid, or .dll extension. * If the file is a .vbs file and is executed, it will drop a file named vss_2.exe into the current folder. * If the file is a .cpl file and is executed, it will drop a file named cplstub.exe into the %Windir% folder. * If the file is a .hta file and is executed, it will drop a file named qwrk.exe into the current folder. 7. Drops the file, %System%\drvddll.exeopenopenopen. If the file Gdiplus.dll is present on the computer, this file will be a .jpg or .gif. Otherwise it will be a .bmp file. 8. Drops the file, %System%\Drvddll.exeopenopenopenopen, which is a text file containing six random characters. 9. If the system date is after January 25, 2005 the worm will exit from memory and delete its registry value, as well as the key: HKEY_CURRENT_USER\SOFTWARE\Time 10. Adds the value: "Drvddll_exe"="%system%\drvddll.exe" to the registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 11. Opens TCP port 2535, which allows unauthorized access to the infected computer. 12. Scans for fixed drives on the infected computer. 13. Attempts to create copies of itself in any folder on an infected computer that contains the characters "shar." The files will have the following file names: * Microsoft Office 2003 Crack, Working!.exe * Microsoft Windows XP, WinXP Crack, working Keygen.exe * Microsoft Office XP working Crack, Keygen.exe * Porno, sex, oral, anal cool, awesome!!.exe * Porno Screensaver.scr * Serials.txt.exe * KAV 5.0 * Kaspersky Antivirus 5.0 * Porno pics arhive, xxx.exe * Windows Sourcecode update.doc.exe * Ahead Nero 7.exe * Windown Longhorn Beta Leak.exe * Opera 8 New!.exe * XXX hardcore images.exe * WinAmp 6 New!.exe * WinAmp 5 Pro Keygen Crack Update.exe * Adobe Photoshop 9 full.exe * Matrix 3 Revolution English Subtitles.exe * ACDSee 9.exe 14. Searches for email addresses in files that have the following extensions: * .wab * .txt * .msg * .htm * .shtm * .stm * .xml * .dbx * .mbx * .mdx * .eml * .nch * .mmf * .ods * .cfg * .asp * .php * .pl * .wsh * .adb * .tbb * .sht * .xls * .oft * .uin * .cgi * .mht * .dhtm * .jsp 15. Sends email messages to any email addresses that were found by using its own SMTP engine and contacting the destination server directly. The email will have the following characteristics: From: Subject: (One of the following) * Re: Msg reply * Re: Hello * Re: Yahoo! * Re: Thank you! * Re: Thanks :) * RE: Text message * Re: Document * Incoming message * Re: Incoming Message * RE: Incoming Msg * RE: Message Notify * Notification * Changes.. * New changes * Hidden message * Fax Message Received * Protected message * RE: Protected message * Forum notify * Site changes * Re: Hi * Encrypted document Body: If the attachment is a .zip file, then the Body will contain one of the following messages: * For security reasons attached file is password protected. The password is * For security purposes the attached file is password protected. Password -- * Note: Use password * Attached file is protected with the password for security reasons. Password is * In order to read the attach you have to use the following password: * Archive password: * Password * Password: followed by a copy of the image file dropped as drvddll.exeopenopen. If the attachment is not a .zip file, the Body will be blank. Attachment: (One of the following) * Information * Details * text_document * Readme * Document * Info * the_message * Details * MoreInfo * Message * You_will_answer_to_me * Half_Live * Counter_strike * Loves_money * the_message * Alive_condom * Joke * Toy * Nervous_illnesses * Manufacture * You_are_dismissed * Your_complaint * Your_money * Smoke * I_search_for_you Notes: * The attachment's extension will be the same as the type of file as Drvddll.exeopenopen. For example, if Drvddll.exeopenopen is dropped as a .zip file, the attachment will be a .zip file. * If Drvddll.exeopenopen is the worm itself, the extension will be .exe, .com, or .scr. 16. Attempts to contact a .php script at each of the following domains: * http:/ /www.spiegel.de/ * http:/ /www.leipziger-messe.de/ * http:/ /www.mobile.de/ * http:/ /www.neformal.de/ * http:/ /www.avh.de/ * http:/ /www.goethe.de/ * http:/ /www.degruyter.de/ * http:/ /www.heise.de/ * http:/ /www.autoscout24.de/ * http:/ /www.russische-botschaft.de/ * http:/ /www.bmbf.de/ * http:/ /www.berlinale.de/ * http:/ /www.hamann-motorsport.de/ * http:/ /Spaceclub.de/ * http:/ /www.fracht-24.de/ * http:/ /www.loveparade.de/ * http:/ /www.dalnoboyshik.de/ * http:/ /www.deutschland.de/ * http:/ /www.ac-schnitzer.de/ * http:/ /abakan.strana.de/ * http:/ /www.emis.de/ * http:/ /www.dwd.de/ * http:/ /www.ifdesign.de/ * http:/ /www.beckers-systems.de/ * http:/ /www.pri-wo-hamburg.de/ * http:/ /virtualzone.de/ * http:/ /www.mitsumi.de/ * http:/ /www.fu-berlin.de/ * http:/ /www.nabu.de/ * http:/ /www.tekeli.de/ * http:/ /www.welt.de/ * http:/ /www.gospel-nations.de/ * http:/ /www.neznakomez.de/ * http:/ /www.tecchannel.de/ * http:/ /www.php-resource.de/ * http:/ /www.windac.de/ * http:/ /www.gsi.de/ * http:/ /www.turism.de/ * http:/ /jakimov.golos.de/ * http:/ /www.www.mirko-becker.gmxhome.de/ * http:/ /vg.xtonne.de/ * http:/ /www.go-amman.de/ * http:/ /3treepoint.com/ * http:/ /www.restarted-alliance.de/ * http:/ /2udar.ligakvn.de/ * http:/ /www.sprach-zertifikat.de/ * http:/ /www.dfg.de/ * http:/ /www.kliniken.de/ * http:/ /www.winfuture.de/ * http:/ /www.hamburg.de/ * http:/ /www.auma.de/ * http:/ /www.teac.de/ * http:/ /www.eumetsat.de/ * http:/ /www.documenta.de/ * http:/ /hardvision.ru/ * http:/ /www.bruecke-osteuropa.de/ * http:/ /www.mk-motorsport.de/ * http:/ /www.bundesregierung.de/ * http:/ /ditec.um.es/ * http:/ /www.insel-ruegen-hotel.de/ * http:/ /www.tib.uni-hannover.de/ * http:/ /www.chugai.de/ * http:/ /www.blauer-engel.de/ * http:/ /www.partner-inform.de/ * http:/ /mhv24.de/ * http:/ /villakinderbunt.de/ * http:/ /s318.evanzo-server.de/ * http:/ /andimeisslein.de/ * http:/ /tobimayer.de/ * http:/ /markusgimenez.de/ * http:/ /www.fiz-karlsruhe.de/ * http:/ /www.gdch.de/ * http:/ /www.intermatgmbh.de/ * http:/ /www.hotel-pension-spree.de/ * http:/ /vg.xtonne.de/ * http:/ /www.low-spirit.de/ * http:/ /www.red-dot.de/ * http:/ /www.fernuni-hagen.de/ * http:/ /www.ruletka.de/ * http:/ /www.deutsch-als-fremdsprache.de/ * http:/ /www.uni-oldenburg.de/ * http:/ /fotos.schneider.bards.de/ * http:/ /www.deutsches-museum.de/ * http:/ /www.de-bug.de/ * http:/ /www.uni-stuttgart.de/ * http:/ /www.embl-heidelberg.de/ * http:/ /www.mdz-moskau.de/ * http:/ /www.mitsubishi-evs.de/ * http:/ /www.siegenia-aubi.com/ * http:/ /www.cicv.fr/ * http:/ /www.paromi.de/ * http:/ /www.jura.uni-sb.de/ * http:/ /www.exactaudiocopy.de/ 17. Attempts to terminate processes with the following names: * AGENTSVR.EXE * ANTI-TROJAN.EXE * ANTI-TROJAN.EXE * ANTIVIRUS.EXE * ANTS.EXE * APIMONITOR.EXE * APLICA32.EXE * APVXDWIN.EXE * ATCON.EXE * ATGUARD.EXE * ATRO55EN.EXE * ATUPDATER.EXE * ATWATCH.EXE * AUPDATE.EXE * AUTODOWN.EXE * AUTOTRACE.EXE * AUTOUPDATE.EXE * AVCONSOL.EXE * AVGSERV9.EXE * AVLTMAIN.EXE * AVprotect9x.exe * AVPUPD.EXE * AVSYNMGR.EXE * AVWUPD32.EXE * AVXQUAR.EXE * BD_PROFESSIONAL.EXE * BIDEF.EXE * BIDSERVER.EXE * BIPCP.EXE * BIPCPEVALSETUP.EXE * BISP.EXE * BLACKD.EXE * BLACKICE.EXE * BOOTWARN.EXE * BORG2.EXE * BS120.EXE * CDP.EXE * CFGWIZ.EXE * CFGWIZ.EXE * CFIADMIN.EXE * CFIADMIN.EXE * CFIAUDIT.EXE * CFIAUDIT.EXE * CFIAUDIT.EXE * CFINET.EXE * CFINET.EXE * CFINET32.EXE * CFINET32.EXE * CLEAN.EXE * CLEAN.EXE * CLEANER.EXE * CLEANER.EXE * CLEANER3.EXE * CLEANPC.EXE * CLEANPC.EXE * CMGRDIAN.EXE * CMGRDIAN.EXE * CMON016.EXE * CMON016.EXE * CPD.EXE * CPF9X206.EXE * CPFNT206.EXE * CV.EXE * CWNB181.EXE * CWNTDWMO.EXE * DEFWATCH.EXE * DEPUTY.EXE * DPF.EXE * DPFSETUP.EXE * drvsys.exe * DRWATSON.EXE * DRWEBUPW.EXE * ENT.EXE * ESCANH95.EXE * ESCANHNT.EXE * ESCANV95.EXE * EXANTIVIRUS-CNET.EXE * FAST.EXE * FIREWALL.EXE * FLOWPROTECTOR.EXE * FP-WIN_TRIAL.EXE * FRW.EXE * FSAV.EXE * FSAV530STBYB.EXE * FSAV530WTBYB.EXE * FSAV95.EXE * GBMENU.EXE * GBPOLL.EXE * GUARD.EXE * GUARDDOG.EXE * HACKTRACERSETUP.EXE * HTLOG.EXE * HWPE.EXE * IAMAPP.EXE * IAMAPP.EXE * IAMSERV.EXE * ICLOAD95.EXE * ICLOADNT.EXE * ICMON.EXE * ICSSUPPNT.EXE * ICSUPP95.EXE * ICSUPP95.EXE * ICSUPPNT.EXE * IFW2000.EXE * IPARMOR.EXE * IRIS.EXE * JAMMER.EXE * KAVLITE40ENG.EXE * KAVPERS40ENG.EXE * KERIO-PF-213-EN-WIN.EXE * KERIO-WRL-421-EN-WIN.EXE * KERIO-WRP-421-EN-WIN.EXE * KILLPROCESSSETUP161.EXE * LDPRO.EXE * LOCALNET.EXE * LOCKDOWN.EXE * LOCKDOWN2000.EXE * LSETUP.EXE * LUALL.EXE * LUCOMSERVER.EXE * LUINIT.EXE * MCAGENT.EXE * MCUPDATE.EXE * MCUPDATE.EXE * MFW2EN.EXE * MFWENG3.02D30.EXE * MGUI.EXE * MINILOG.EXE * MOOLIVE.EXE * MRFLUX.EXE * MSCONFIG.EXE * MSINFO32.EXE * MSSMMC32.EXE * MU0311AD.EXE * NAV80TRY.EXE * NAVAPW32.EXE * NAVDX.EXE * NAVSTUB.EXE * NAVW32.EXE * NC2000.EXE * NCINST4.EXE * NDD32.EXE * NEOMONITOR.EXE * NETARMOR.EXE * NETINFO.EXE * NETMON.EXE * NETSCANPRO.EXE * NETSPYHUNTER-1.2.EXE * NETSTAT.EXE * NISSERV.EXE * NISUM.EXE * NMAIN.EXE * NORTON_INTERNET_SECU_3.0_407.EXE * NPF40_TW_98_NT_ME_2K.EXE * NPFMESSENGER.EXE * NPROTECT.EXE * NSCHED32.EXE * NTVDM.EXE * NUPGRADE.EXE * NVARCH16.EXE * NWINST4.EXE * NWTOOL16.EXE * OSTRONET.EXE * OUTPOST.EXE * OUTPOSTINSTALL.EXE * OUTPOSTPROINSTALL.EXE * PADMIN.EXE * PANIXK.EXE * PAVPROXY.EXE * PCC2002S902.EXE * PCC2K_76_1436.EXE * PCCIOMON.EXE * PCDSETUP.EXE * PCFWALLICON.EXE * PCFWALLICON.EXE * PCIP10117_0.EXE * PDSETUP.EXE * PERISCOPE.EXE * PERSFW.EXE * PF2.EXE * PFWADMIN.EXE * PINGSCAN.EXE * PLATIN.EXE * POPROXY.EXE * POPSCAN.EXE * PORTDETECTIVE.EXE * PPINUPDT.EXE * PPTBC.EXE * PPVSTOP.EXE * PROCEXPLORERV1.0.EXE * PROPORT.EXE * PROTECTX.EXE * PSPF.EXE * PURGE.EXE * PVIEW95.EXE * QCONSOLE.EXE * QSERVER.EXE * RAV8WIN32ENG.EXE * REGEDIT.EXE * REGEDT32.EXE * RESCUE.EXE * RESCUE32.EXE * RRGUARD.EXE * RSHELL.EXE * RTVSCN95.EXE * RULAUNCH.EXE * SAFEWEB.EXE * SBSERV.EXE * SD.EXE * SETUP_FLOWPROTECTOR_US.EXE * SETUPVAMEEVAL.EXE * SFC.EXE * SGSSFW32.EXE * SH.EXE * SHELLSPYINSTALL.EXE * SHN.EXE * SMC.EXE * SOFI.EXE * SPF.EXE * SPHINX.EXE * SPYXX.EXE * SS3EDIT.EXE * ST2.EXE * SUPFTRL.EXE * SUPPORTER5.EXE * SYMPROXYSVC.EXE * SYSEDIT.EXE * TASKMON.EXE * TAUMON.EXE * TAUSCAN.EXE * TC.EXE * TCA.EXE * TCM.EXE * TDS2-98.EXE * TDS2-NT.EXE * TDS-3.EXE * TFAK5.EXE * TGBOB.EXE * TITANIN.EXE * TITANINXP.EXE * TRACERT.EXE * TRJSCAN.EXE * TRJSETUP.EXE * TROJANTRAP3.EXE * UNDOBOOT.EXE * UPDATE.EXE * VBCMSERV.EXE * VBCONS.EXE * VBUST.EXE * VBWIN9X.EXE * VBWINNTW.EXE * VCSETUP.EXE * VFSETUP.EXE * VIRUSMDPERSONALFIREWALL.EXE * VNLAN300.EXE * VNPC3000.EXE * VPC42.EXE * VPFW30S.EXE * VPTRAY.EXE * VSCENU6.02D30.EXE * VSECOMR.EXE * VSHWIN32.EXE * VSISETUP.EXE * VSMAIN.EXE * VSMON.EXE * VSSTAT.EXE * VSWIN9XE.EXE * VSWINNTSE.EXE * VSWINPERSE.EXE * W32DSM89.EXE * W9X.EXE * WATCHDOG.EXE * WEBSCANX.EXE * WGFE95.EXE * WHOSWATCHINGME.EXE * WHOSWATCHINGME.EXE * WINRECON.EXE * WNT.EXE * WRADMIN.EXE * WRCTRL.EXE * WSBGATE.EXE * WYVERNWORKSFIREWALL.EXE * XPF202EN.EXE * ZAPRO.EXE * ZAPSETUP3001.EXE * ZATUTOR.EXE * ZAUINST.EXE * ZONALM2601.EXE * ZONEALARM.EXE To reverse the changes made to the registry WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions. 1. Click Start, and then click Run. (The Run dialog box appears.) 2. Type regedit Then click OK. (The Registry Editor opens.) 3. Navigate to the key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4. In the right pane, delete the value: "Drvddll_exe"="%system%\drvddll.exe" 5. Exit the Registry Editor. 6. Restart the computer in Normal mode.