know the vector. stop the exploit. block the virus.

vectorblog  about  contact

 

 

 

back to the iv Virus List

 

 

 

 


Beagle Alert

infectionvectors.com

Updated March 2005

 

A worm of special interest to infectionvectors.com, Beagle has proven to be one of the most dangerous and effective mass mailers in Internet history. Beagle has shown the ability to spread via email, file shares, and parasitic executable infection.

 

Beagle.A was discovered in late January 2004 and was an immediate success, spreading across the globe with a very simple infection strategy: just sending the worm as an attachment to a plain email message. Over the course of the spring, Beagle ran up over two dozen variants and thousands of compromised hosts. 

 

Infectionvectors has published two in-depth reviews of Beagle and its development history, for details and commentary on the worm, see the first report , part two, and part three.

 

Beagle returned from a brief hiatus in early July 2004 with variants that attacked Internet hosts with a renewed ferocity. With even more success than previous versions, Beagle.X, AA, AB, and AO made special imprints on clients around the world, turning them into mail relaying robots. 

 

Beagle Worm Releases - October 2004

infectionvectors.com

 

Overview

 

The Beagle worm has been the subject of many infectionvectors.com reports over 2004 because of its well-designed features and great success. This report is an analysis of the worm’s latest incarnation; it covers multiple versions of the worm released in October of 2004.

 

As in previous reports concerning Beagle variants, all naming follows Symantecs cataloging (where possible) for consistency.

 

Beagle.AU

 

One of three versions discovered on October 29, Beagle.AU follows the successful pattern of its recent cousins: mass mail and file share vectors, wide distribution (seeding), and opening a relay on infection machines.

 

When Beagle.AU arrives, it carries an attachment with one of the following names:

 

price

Price

Joke

 

Appended with one of the following extensions:

 

                        CPL

                        COM

                        EXE

                        SCR

 

It selects one of the harvested email addresses to use as the From: field address and carries a message body of simply: “:))” or “:)”.

 

Beagle.AU uses the following subject lines:

 

                        Re:

                        Re: Hello

                        Re: Hi

                        Re: Thank you!

                        Re: Thanks :)

 

Once executed, the attachment drops a copy of the worm (using the name “bawindo”), adds the startup hook to the “Run” key (see startup report for more info), and initiates the 7 “Netsky” mutexes that previous variants created (as well as removing the auto-start values from the Registry for these competitors). It carries a long list of security software process names, all of which it attempts to kill.

 

The worm attempts to download additional code from 172 addresses that are hard-coded into Beagle.AU. It uses the familiar list of names for copies that get dropped into any directory whose name contains the string “shar”.

 

Beagle.AU opens TCP 81 to allow remote control of the worm.

 

Beagle.AW

 

Discovered the same day, Beagle.AW adds a few new features to the worm. Instead of “bawindo,” the variant uses the named wingo. This version of the worm holds the same list of URLs as download points, process-killing list, and crafts the same email messages. Other functions, such as opening TCP 81, are the same as well.

 

Beagle.AW attempts to stop 2 Windows Services: WSCSVC and SharedAccess. These are the Microsoft Security Service (the “Security Center” manager) and the Internet Connection Sharing (ICS) processes.

 

Beagle.AV

 

Also discovered October 29, 2004, this version of the worm appears to be the most widely seeded of the three, based on detection reports from Symantec,

 

Beagle.AV also uses the name “wingo” for its copy that is dropped in the Windows system directory. It is identical to Beagle.AU in functionality in every other way except for one; it selects an icon for the attachment by random selection from the local hard disk. This makes the worm even more difficult to caution against, as there is no single (or even finite group) icon that a bulletin could point out.

 

This group of variants again demonstrates the author(s) dedication to improving the quality (and thereby success) of the viral product. Beagle will likely continue to push the packaging of mass mail worms, making user education all the more important as the virus slides past static and heuristic filters in place to prevent it from entering the network.

 

Beagle Worm Releases January 2005

 

January's distributions followed the same pattern and functionality of late 2004: well-seeded, multiple variants with small changes (sometimes just repacked versions of worms), and each reached out to a server for additional code. The additional applications include password stealers and the newly released Formglieder. 

 

Update: March 1, 2005: Beagle.BG/BH

 

Two variants released on the first of March 2005 use familiar messages, attachment names, and subject fields; Beagle.AO from 2004 last used the "price" tags to entice users into executing attachments. 

 

The code released on March 1, 2005 more closely resembles the Mitglieder Trojan class of variants as it carries no propagation routine of its own. The code, however, appears to have been very widely seeded as reports continue to come in from all over the world. It arrives in an email with the following simple message:

 

Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit

<html><body>
price<br><br>

<br>
</body></html>

Which displays only the word "price" in an email client that allows HTML formatting. 

 

Although these versions of the code do not propagate, they pave the way for countless other infections by killing security software, deleting associated files/Registry keys, and establishing a process that checks with a long list of servers for another file to download ("zo2.jpg" saved as "_re_file.exe" and executed). As of this writing, none of the servers hard-coded into the worm appear to be up, that will likely change as the author has waited several weeks in the past before posting the additional Trojans. 

 

Upon execution, the attachment (packed inside the ZIP archive, "new_price.zip," the initial sample received by infectionvectors.com was named "doc_43.exe") drops two files onto the local machine, the loader "winshost.exe" and a Trojan, "wiwshost.exe." Both of these files find themselves dropped into the %SYSTEM% directory. Interestingly, where the loader is packed with the same compression type as the attachment (PE_Patch, although initially believed to be PeX 0.99), the Trojan is not packed at all. Both files are hooked in the Registry to autostart. 

 

This version arrives inside a ZIP archive as a single application. This file uses an icon very similar to Windows Notepad, click the image below to view:

 

 

See the Beagle.BG-BJ supplement (available in PDF) outlining the propagation method and numerous other details of these Beagle/Mitglieder variants. 

 

Copyright Ó 2004-2005 infectionvectors.com. All rights reserved.