The following has been derived from information provided by NAI, Symantec, and Trend Micro.

Virus Characteristics

W32.Beagle.A@mm is a mass mailing worm that arrives in an email and contains a remote access component. The email contains the following characteristics:

Subject:
Hi
Message:
Test =)
<Random characters>
--
Test, yep.
Filename:
<Random>.exe
Filesize:
15,872 bytes

Mass Mailer Component:

The worm harvests addresses from files with the following extensions and mails itself to those recipients. The sender address is also spoofed from an address also found in these files.

.wab
.txt
.htm
.html

This threat contains its own SMTP engine for propagation.

Remote Access Component:

W32.Beagle.A@mm listens on TCP port 6777 for remote connections. Upon infection it intends to notify the author of an infected system that is awaiting commands, by calling a PHP script located on remote sites from a list contained in the worm. At the time of this writing it is unknown how many sites on the list contain the script in question.


Payload

When executed, W32.Beagle.A@mm runs through the following routine:

1. Verifies the date on the system is no later then Jan 28th, 2004. If the date is past Jan 28th, 2004, the worm will exit.

2. Drops the file bbeagle.exe to the %system% directory. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

3. Launches calc.exe.

4. Modifies/Creates the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"d3update.exe" = "%system%\bbeagle.exe"
HKEY_CURRENT_USER\Software\Windows98
"uid" = "[Random Value]"
HKEY_CURRENT_USER\Software\Windows98
"frun" = "1"

5. The worm then scans the system for all files with the extensions .wab, .txt, .htm and .html. Finds email addresses in these files, and emails the worm to all found contacts.

6. Accesses a website from a static list in the body of the worm. On the website, accesses a script called 1.php.


Preventative Measures

Block all incoming messages that contain attachments with a .exe extension.
Detection is currently available from all major anti-virus manufacturers.
Block access to the following sites:

www.elrasshop.de
www.it-msc.de
www.getyourfree.net
www.dmdesign.de
64.176.228.13
www.leonzernitsky.com
216.98.136.248
216.98.134.247
www.cdromca.com
www.kunst-in-templin.de
vipweb.ru
antol-co.ru
www.bags-dostavka.mags.ru
www.5x12.ru
bose-audio.net
www.sttngdata.de
wh9.tu-dresden.de
www.micronuke.net
www.stadthagen.org
www.beasty-cars.de
www.polohexe.de
www.bino88.de
www.grefrathpaenz.de
www.bhamidy.de
www.mystic-vws.de
www.auto-hobby-essen.de
www.polozicke.de
www.twr-music.de
www.sc-erbendorf.de
www.montania.de
www.medi-martin.de
vvcgn.de
www.ballonfoto.com
www.marder-gmbh.de
www.dvd-filme.com
www.smeangol.com


Fixes Available

Network Associates:
Minimum DAT: 4316
Release Date: Jan 18, 2004
Minimum Engine: 4.2.40

Symantec:
Virus Definitions (Intelligent Updater): Jan 18, 2004
Virus Definitions (LiveUpdate): Jan 18, 2004

Trend:
Pattern File: 729
Minimum Scan Engine: 5.200