Alias:W32.Beagle.V
Type:Worm 
Size:8,208 Bytes 
Origin:unknown 
Date:03-28-2004 
Damage:Sent by email 
VDF Version:6.23.00.71 
Danger:Low 
Distribution:Medium 

DistributionThe worm searches for email addresses on the local drives, in files with extensions:

- .wab
- .txt
- .msg
- .htm
- .shtm
- .stm
- .xml
- .dbx
- .mbx
- .mdx
- .eml
- .nch
- .mmf
- .ods
- .cfg
- .asp
- .php
- .pl
- .wsh
- .adb
- .tbb
- .sht
- .xls
- .oft
- .uin
- .cgi
- .mht
- .dhtm
- .jsp

Then, the worm spreads by email, sending itself to the addresses it found. The email Subject and Body are empty. The Attachment is a copy of the worm, named game.exe.

It avoids to send emails to addresses containing:
- @avp
- @microsoft.

Technical DetailsWhen run, the worm copies itself in %SystemDIR%\syinfo.exe and makes the following registry entry, to be activated by the next system start:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"sysinfo.exe"="%SystemDIR%\sysinfo.exe"

Then it makes the entry:

HKEY_CURRENT_USER\SOFTWARE\Windows2005

The worm also opens TCP Port 4751, so files can be downloaded and run. Then it tries to run the file Dredr.exe, if found on the infected computer. The worm tries to announce the infection further to a webserver.If the worm meets a 2005 system date or a later date, it terminates immediately all its procedures and makes no entry.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .