Description
Win32.HLLM.Beagle.57450 is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. It is packed with UPX compression utility.
It disseminates via e-mail and file-sharing networks. Sometimes it may arrive to computers as Zip-archive.
It opens port TCP\\\\\\\\ 2535 in the affected system, which leads to system’s compromising.
The worm terminates different security related programs.
Spreading
In search of mail addresses for its propagation the worm scans drives of the victimized machine. The files with the following extensions are revised:
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
It avoids sending its viral copies to the addresses which have the following strings:
@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
The sender’s address is spoofed, or it may be one of the following:
lizie@
annie@
ann@
christina@
secretGurl@
jessie@
christy@
The subject is chosen from the following list of possible subjects:
Hello!
Hey!
Let\\\\\\\'s socialize, my friend!
Let\\\\\\\'s talk, my friend!
I\\\\\\\'m bored with this life
Notify from a known person ;-)
I like you
I just need a friend
I\\\\\\\'m a sad girl...
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document Incoming message
Re: Incoming Message
Re: Incoming Fax
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Request response
Site changes
Re: Hi
Encrypted document
Hello %s,
Dear %s,
Dear %s,
It\\\\\\\'s me ;-)
Hi %s,
Hey %s,
It\\\\\\\'s me ->
Hi,
It\\\\\\\'s me %s,
Hey %s,
Hey,
Hi,
Hello,
I Like You!
where %s is a name The message body is composed from several parts. Part 1
Don\\\\\\\'t you remember me?
Kewl :-)
I need a friend...
I just want to talk with someone...
I like reading the books and socializing, let me talk with you...
It\\\\\\\'s time to find a friend!
Ready to accept a new friend? :-)
Like me, odore me! ;-)
I study at school, I like to spend time cheerfully even if not all
so well, I hompe and trust, that all bad when nibud will pass and necessarily
nastanet there would be a desire.
I like to feel protected, to understand, that near to me the man,
which both in sex, and in life knows what to do. It is possible to fall
in love with such the man for ever.
Cometime I write a poem, play the gitar. I love a traveling,
I like a romantice and I want to meet, comeday, my big love!
I am kind, fair, careful, gentle also want to create family.
I love animal (cats, dogs), the literature, theatre, cinema, music,
walks in park .
I very much love productive leisure, to prepare for new exotic
dishes, at leisure to leave with friends on the nature, to float,
I like to go for a drive on mountain skiing, to visit excursions, travel. Very easy going.
I have recently got demobilize from army and also I am going to act
in a higher educational institution
Searching for the right person,for real man, who will really cares and
love me.
I am a honest, kind,loving,with good sense of humor...etc.,looking
for true love... or maybe for pen friend.I like cats.
I am looking for a serious relationship. I am NOT interested in
flirt and short-term love adventure.
I love, as the good company, and I dream about romantic appointment
at candles with loved. I still believe in love.
I like an active life... and interesting people...
i am honest, responsible, romantic person. iwould like to find my
only love,to find my destiny.
I\\\\\\\'m a young lady of 20 years old i\\\\\\\'d like to find my second part!!!
I am simple girl who are looking for serious relation with
responsible and confident man. I am ready to give all my love and
carering for a right person who is going to love and respect me
I am a beautiful, sexual girl with very big ambitions and dreams.
I can make happy anyone man...
I am a student. I\\\\\\\'m studying international relationships. I would
like to find an interesting and active man for serious relations.
Sitting at home it is not for me. I like to go out to the
theater, cinema, and nightclubs.
I love productive leisure, to travel, communicate with friends.
I very much love new acquaintances, I love music, meetings with
friends. I go on night clubs, except for parties I sometimes
visit theatres and I love cinema. In general I only shall be glad
to new acquaintance and class dialogue...
I\\\\\\\'m so bored, let me talk with you...
You are my prince :-)
You are cool :-)
Read the attach.
Your file is attached.
Part 2
More info is in attach
See attach.
Please, have a look at the attached file.
See the attached file for details.
Message is in attach
Here is the file.
For more information see the attached file.
Attached file will tell you everything.
For details see the attach.
Attached file tells everything.
Further details are in attach.
Part 3
Sincerely, %s
Best wishes, %s
Yours, %s
Have a good day, %s
Cheers, %s
Kind regards, %s
If the attached file is a ZIP-atchive, the message bidy may end with one of the following:
For security reasons attached file is password protected. The password is
For security purposes the attached file is password protected. Password --
Note: Use password to open archive.
Attached file is protected with the password for security reasons. Password is
In order to read the attach you have to use the following password:
Archive password:
Password -
Password:
Attachment:
Information
Details
Readme
Document
Info
Details
MoreInfo
Message
The extensions of the attachment may be .com, .cpl, .exe, .scr,.zip, .vbs or .hta.
The message body may also be accompanied with pictures of girls. The possible file names are:
Photo
image12
myphoto4
myphoto7
me3
me2
The worm can also spread across the shared resources. It scans the system in search of directories containing the string “shar” and copies itself there as follows:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr Serials.txt.exe
KAV 5.0 Kaspersky Antivirus 5.0 Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
Action
Будучи активированным, червь демонстрирует на экране дисплея окно с ложным сообщением об ошибке:
-
Заголовок: Error!
Текст: Can\'t find a viewer associated with the file
drvsys.exe drvsys.exeopen drvsys.exeopenopenЧтобы обеспечить свой запуск в пораженной системе червь вносит данные
drvsys.exe = \"%SysDir%\\drvsys.exe\"
в реестровую запись
HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
В пораженной системе червь «слушает» порт TCP 2535. Чтобы сообщить своему создателю о проведенном инфицировании, червь предпринимает попытки установить связь со следующими сайтами:
http://www.spiegel.de/5.php http://www.leipziger-messe.de/5.php http://www.mobile.de/5.php http://www.neformal.de/5.php http://www.avh.de/5.php http://www.goethe.de/5.php http://www.degruyter.de/5.php http://www.heise.de/5.php http://www.autoscout24.de/5.php http://www.russische-botschaft.de/5.php http://www.bmbf.de/5.php http://www.berlinale.de/5.php http://www.hamann-motorsport.de/5.php http://Spaceclub.de/5.php http://www.fracht-24.de/5.php http://www.loveparade.de/5.php http://www.dalnoboyshik.de/5.php http://www.deutschland.de/5.php http://www.ac-schnitzer.de/5.php http://abakan.strana.de/5.php http://www.emis.de/5.php http://www.dwd.de/5.php http://www.ifdesign.de/5.php http://www.beckers-systems.de/5.php http://www.pri-wo-hamburg.de/5.php http://virtualzone.de/5.php http://www.mitsumi.de/5.php http://www.fu-berlin.de/5.php http://www.nabu.de/5.php http://www.tekeli.de/5.php http://www.welt.de/5.php http://www.gospel-nations.de/5.php http://www.neznakomez.de/5.php http://www.tecchannel.de/5.php http://www.php-resource.de/5.php http://www.windac.de/5.php http://www.gsi.de/5.php http://www.turism.de/5.php http://jakimov.golos.de/5.php http://www.www.mirko-becker.gmxhome.de/5.php http://vg.xtonne.de/5.php http://www.go-amman.de/5.php http://3treepoint.com/5.php http://www.restarted-alliance.de/5.php http://2udar.ligakvn.de/5.php http://www.sprach-zertifikat.de/5.php http://www.dfg.de/5.php http://www.kliniken.de/5.php http://www.winfuture.de/5.php http://www.hamburg.de/5.php http://www.auma.de/5.php http://www.teac.de/5.php http://www.eumetsat.de/5.php http://www.documenta.de/5.php http://hardvision.ru/5.php http://www.bruecke-osteuropa.de/5.php http://www.mk-motorsport.de/5.php http://www.bundesregierung.de/5.php http://ditec.um.es/5.php http://www.insel-ruegen-hotel.de/5.php http://www.tib.uni-hannover.de/5.php http://www.chugai.de/5.php http://www.blauer-engel.de/5.php http://www.partner-inform.de/5.php http://250x.com/5.php http://villakinderbunt.de/5.php http://s318.evanzo-server.de/5.php http://andimeisslein.de/5.php http://tobimayer.de/5.php http://markusgimenez.de/5.php http://www.fiz-karlsruhe.de/5.php http://www.gdch.de/5.php http://www.intermatgmbh.de/5.php http://www.hotel-pension-spree.de/5.php http://vg.xtonne.de/5.php http://www.low-spirit.de/5.php http://www.red-dot.de/5.php http://www.fernuni-hagen.de/5.php http://www.ruletka.de/5.php http://www.deutsch-als-fremdsprache.de/5.php http://www.uni-oldenburg.de/5.php http://fotos.schneider.bards.de/5.php http://www.deutsches-museum.de/5.php http://www.de-bug.de/5.php http://www.uni-stuttgart.de/5.php http://www.embl-heidelberg.de/5.php http://www.mdz-moskau.de/5.php http://www.mitsubishi-evs.de/5.php http://www.siegenia-aubi.com/5.php http://www.cicv.fr/5.php http://www.paromi.de/5.php http://www.jura.uni-sb.de/5.php http://www.exactaudiocopy.de/5.phpВ тексте червь содержится следующее послание:
UNIQUE PEOPLE MAKE UNIQUE THINGS
THAT THINGS STAY BEYOND THE NORMAL LIFE AND COMMON UNDERSTANDING
THE PROBLEM IS THAT PEOPLE DON\'T UNDERSTAND SUCH WILD THINGS,
LIKE A MAN DID NEVER UNDERSTAND THE WILD LIFE
-- Author of Bagle
Червь останавливает процессы, принадлежащие различным антивирусным программам, сетевым экранам и другим программам, связанным с вопросами обеспечения компьютерной безопасности:
OUTPOST.EXE NMAIN.EXE NORTON_INTERNET_SECU_3.0_407.EXE NPF40_TW_98_NT_ME_2K.EXE NPFMESSENGER.EXE NPROTECT.EXE NSCHED32.EXE NTVDM.EXE NVARCH16.EXE KERIO-WRP-421-EN-WIN.EXE KILLPROCESSSETUP161.EXE LDPRO.EXE LOCALNET.EXE LOCKDOWN.EXE LOCKDOWN2000.EXE LSETUP.EXE CLEANPC.EXE AVprotect9x.exe CMGRDIAN.EXE CMON016.EXE CPF9X206.EXE CPFNT206.EXE CV.EXE CWNB181.EXE CWNTDWMO.EXE ICSSUPPNT.EXE DEFWATCH.EXE DEPUTY.EXE DPF.EXE DPFSETUP.EXE DRWATSON.EXE ENT.EXE ESCANH95.EXE AVXQUAR.EXE ESCANHNT.EXE ESCANV95.EXE AVPUPD.EXE EXANTIVIRUS-CNET.EXE FAST.EXE FIREWALL.EXE FLOWPROTECTOR.EXE FP-WIN_TRIAL.EXE FRW.EXE FSAV.EXE AUTODOWN.EXE FSAV530STBYB.EXE FSAV530WTBYB.EXE FSAV95.EXE GBMENU.EXE GBPOLL.EXE GUARD.EXE GUARDDOG.EXE HACKTRACERSETUP.EXE HTLOG.EXE HWPE.EXE IAMAPP.EXE IAMAPP.EXE IAMSERV.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IFW2000.EXE IPARMOR.EXE IRIS.EXE JAMMER.EXE ATUPDATER.EXE AUPDATE.EXE KAVLITE40ENG.EXE KAVPERS40ENG.EXE KERIO-PF-213-EN-WIN.EXE KERIO-WRL-421-EN-WIN.EXE BORG2.EXE BS120.EXE CDP.EXE CFGWIZ.EXE CFIADMIN.EXE CFIAUDIT.EXE AUTOUPDATE.EXE CFINET.EXE NAVAPW32.EXE NAVDX.EXE NAVSTUB.EXE NAVW32.EXE NC2000.EXE NCINST4.EXE AUTOTRACE.EXE NDD32.EXE NEOMONITOR.EXE NETARMOR.EXE NETINFO.EXE NETMON.EXE NETSCANPRO.EXE NETSPYHUNTER-1.2.EXE NETSTAT.EXE NISSERV.EXE NISUM.EXE CFIAUDIT.EXE LUCOMSERVER.EXE AGENTSVR.EXE ANTI-TROJAN.EXE ANTI-TROJAN.EXE ANTIVIRUS.EXE ANTS.EXE APIMONITOR.EXE APLICA32.EXE APVXDWIN.EXE ATCON.EXE ATGUARD.EXE ATRO55EN.EXE ATWATCH.EXE AVCONSOL.EXE AVGSERV9.EXE AVSYNMGR.EXE BD_PROFESSIONAL.EXE BIDEF.EXE BIDSERVER.EXE BIPCP.EXE BIPCPEVALSETUP.EXE BISP.EXE BLACKD.EXE BLACKICE.EXE BOOTWARN.EXE NWINST4.EXE NWTOOL16.EXE OSTRONET.EXE OUTPOSTINSTALL.EXE OUTPOSTPROINSTALL.EXE PADMIN.EXE PANIXK.EXE PAVPROXY.EXE DRWEBUPW.EXE PCC2002S902.EXE PCC2K_76_1436.EXE PCCIOMON.EXE PCDSETUP.EXE PCFWALLICON.EXE PCFWALLICON.EXE PCIP10117_0.EXE PDSETUP.EXE PERISCOPE.EXE PERSFW.EXE PF2.EXE AVLTMAIN.EXE PFWADMIN.EXE PINGSCAN.EXE PLATIN.EXE POPROXY.EXE POPSCAN.EXE PORTDETECTIVE.EXE PPINUPDT.EXE PPTBC.EXE PPVSTOP.EXE PROCEXPLORERV1.0.EXE PROPORT.EXE PROTECTX.EXE PSPF.EXE WGFE95.EXE WHOSWATCHINGME.EXE AVWUPD32.EXE NUPGRADE.EXE WHOSWATCHINGME.EXE WINRECON.EXE WNT.EXE WRADMIN.EXE WRCTRL.EXE WSBGATE.EXE WYVERNWORKSFIREWALL.EXE XPF202EN.EXE ZAPRO.EXE ZAPSETUP3001.EXE ZATUTOR.EXE CFINET32.EXE CLEAN.EXE CLEANER.EXE CLEANER3.EXE CLEANPC.EXE CMGRDIAN.EXE CMON016.EXE CPD.EXE CFGWIZ.EXE CFIADMIN.EXE PURGE.EXE PVIEW95.EXE QCONSOLE.EXE QSERVER.EXE RAV8WIN32ENG.EXE REGEDT32.EXE REGEDIT.EXE UPDATE.EXE RESCUE.EXE RESCUE32.EXE RRGUARD.EXE RSHELL.EXE RTVSCN95.EXE RULAUNCH.EXE SAFEWEB.EXE SBSERV.EXE SD.EXE SETUP_FLOWPROTECTOR_US.EXE SETUPVAMEEVAL.EXE SFC.EXE SGSSFW32.EXE SH.EXE SHELLSPYINSTALL.EXE SHN.EXE SMC.EXE SOFI.EXE SPF.EXE SPHINX.EXE SPYXX.EXE SS3EDIT.EXE ST2.EXE SUPFTRL.EXE LUALL.EXE SUPPORTER5.EXE SYMPROXYSVC.EXE SYSEDIT.EXE TASKMON.EXE TAUMON.EXE TAUSCAN.EXE TC.EXE TCA.EXE TCM.EXE TDS2-98.EXE TDS2-NT.EXE TDS-3.EXE TFAK5.EXE TGBOB.EXE TITANIN.EXE TITANINXP.EXE TRACERT.EXE TRJSCAN.EXE TRJSETUP.EXE TROJANTRAP3.EXE UNDOBOOT.EXE VBCMSERV.EXE VBCONS.EXE VBUST.EXE VBWIN9X.EXE VBWINNTW.EXE VCSETUP.EXE VFSETUP.EXE VIRUSMDPERSONALFIREWALL.EXE VNLAN300.EXE VNPC3000.EXE VPC42.EXE VPFW30S.EXE VPTRAY.EXE VSCENU6.02D30.EXE VSECOMR.EXE VSHWIN32.EXE VSISETUP.EXE VSMAIN.EXE VSMON.EXE VSSTAT.EXE VSWIN9XE.EXE VSWINNTSE.EXE VSWINPERSE.EXE W32DSM89.EXE W9X.EXE WATCHDOG.EXE WEBSCANX.EXE CFIAUDIT.EXE CFINET.EXE ICSUPP95.EXE MCUPDATE.EXE CFINET32.EXE CLEAN.EXE CLEANER.EXE LUINIT.EXE MCAGENT.EXE MCUPDATE.EXE MFW2EN.EXE MFWENG3.02D30.EXE MGUI.EXE MINILOG.EXE MOOLIVE.EXE MRFLUX.EXE MSCONFIG.EXE MSINFO32.EXE MSSMMC32.EXE MU0311AD.EXE NAV80TRY.EXE ZAUINST.EXE ZONALM2601.EXE W32DSM89.EXE W9X.EXE WATCHDOG.EXE WEBSCANX.EXE CFIAUDIT.EXE CFINET.EXE ICSUPP95.EXE MCUPDATE.EXE CFINET32.EXE CLEAN.EXE CLEANER.EXE LUINIT.EXE MCAGENT.EXE MCUPDATE.EXE MFW2EN.EXE MFWENG3.02D30.EXE MGUI.EXE MINILOG.EXE MOOLIVE.EXE MRFLUX.EXE MSCONFIG.EXE MSINFO32.EXE MSSMMC32.EXE MU0311AD.EXE NAV80TRY.EXE ZAUINST.EXE ZONALM2601.EXE ZONEALARM.EXE
После 25 января 2005 года червь прекратит свою деятельность.
