Fandom

Virus Information

Beagle

249pages on
this wiki
Add New Page
Talk0 Share
Beagle
Type Mass-mailer worm
Creator
Date Discovered 2004.01.18
Place of Origin
Source Language Delphi
Platform MS Windows
File Type(s) .exe, .pif, .zip*
Infection Length 15,872 bytes
Reported Costs $896 million

Beagle, also known as Bagle is a large family of email worms with many variations. Beagle is notable for the fact that many variants came in password-protected .zip files, with the password usually contained in the body of the message.


BehaviorEdit

Beagle arrives in an email with a spoofed sender line. The alleged sender has an email address with the same domain name as the recipient. The subject of the mail is "Hi" and the message is "Test =)" followed by a string of random characters with "Test, yep." at the end. The attachment name is a string of random letters with a .exe file extension and the icon often looks like the Windows calculator.

After execution, some variants of Beagle will check the system date and may not do anything if the date has gone beyond a certain point (2004.01.28 for Beagle.A). If the date on the infected computer is wrong and displays a date before the time the worm is supposed to stop running, it will run and continue to spread from that computer.

It adds the file bbeagle.exe to the Windows system folder. The file calc.exe (the Windows Calculator) is launched. The worm then adds the value "d3dupdate.exe = (system folder directory)\bbeagle.exe" to the current user's registry key that causes programs to run automatically once the system is started. It may also add the values "uid = [Random Value]" and "frun = 1" to registry key HKEY_CURRENT_USER\Software\Windows98.

The worm creates a listening thread on the TCP port 6777. If a cracker sends a specially formatted message to the worm through this port, the worm will allow an arbitrary file to be downloaded to the Windows system folder. Beagle also creates a thread that notifies a number of website of the presence of the worm every ten minutes.

It then scans for email addresses in files with extensions .wab, .txt, .htm, and .html. It will not send itself to any of the following domains:

  • .r1
  • @hotmail.com
  • @msn.com
  • @microsoft.com
  • @avp

CreatorEdit

The creator of the original Beagle is unknown, but one researcher points to Caesar2k of the group Nuclear Winter Crew, as his creation Titog was similar in that it shut down the same processes as the M variant of Beagle. Also, Caesar2k and other members of the group code in Delphi, the language Beagle was coded in.

NameEdit

Beagle gets its name from the file bbeagle.exe, which is the file name of the original and some subsequent variants of the Beagle worm drop into the system folder.

Antivirus AliasesEdit

File:Beagcons.png
  • Avast!: Win32:Beagle
  • Avira: Worm/Bagle.A
  • CA: Win32.Bagle.A
  • ClamAV: Worm.Bagle.Gen-dll
  • Doctor Web: Win32.HLLM.Beagle.15872
  • Eset: Win32/Bagle.A
  • F-Prot: W32/Bagle.A@mm
  • F-Secure: Email-Worm.Win32.Bagle.fj [AVP]
  • Grisoft: I-Worm/Bagle.A
  • Kaspersky Lab: Email-Worm.Win32.Bagle.a
  • McAfee: W32/Bagle.a@MM
  • Norman: W32/Bagle.A@mm
  • Panda: W32/Bagle.A.worm
  • RAV: Win32/Bagle.A@mm
  • Bitefender: Win32.Bagle.A@mm
  • Sophos: W32/Bagle-A
  • Symantec: W32.Beagle.A@mm
  • Trend Micro: WORM_BAGLE.A
  • Vexira: Trojan.DL.Bagle

VariantsEdit

There are enough variants of Beagle to go through the alphabet several times, and they go up to at least Beagle.GM. Typically they are around 20,000 bytes in length, but some go below 10,000 while others are well above 100,000 bytes.

PEdit

The Beagle.P variant (may have a different letter with different antivirus scanners) as well as a few others can infect computers without an attachment file in its email. It contains an ActiveX control that creates and runs a VBScript on the system, which downloads and executes the worm from one of a list of IP addresses.

DWEdit

Some variants, including Beagle.DW, attempt to make the victim believe that he/she is being accused of being a criminal spammer or phisher, and that the attachment containing the worm actually contains alleged proof of their crime. The message containing the worm can be one of three possibilities:

Hey pal. Do you know, that your webpage paypalll.comprovides a phishing attack? Open attached file for a proof hmmmm it's quite nice, but I think that cops would be interested in it. So my friend. take the page away and put a Appologize on it. Or the Police will hear from me. Cya my friend

Hi! Just to inform you that your email is used by a spamer who intends to steal bank account information thru a fake site. If you are not involded, I can bring you additionnal information. Check attached file for a proof. If you are, you're a little son of a bitch.

Dude, I found your email from whois info of a web page that was used in spam and illigal activity, please do something or you will be sued and busted. Was very dumb to leave your email, asshole! P.S Attached file is self-exatracting archive with information about your criminal activity.

SourcesEdit

Gregg Keizer. InformationWeek, "Bagle Bullies Users Into Infections". 2006.03.02

Takayoshi Nakayama. Symantec.com, "W32.Beagle.DW@mm"

Larry Seltzer Eweek.com, "New Bagle Worm Variant Can Run Without Launching Attachment". 2004.03.18

Jay Lyman, TechNewsWorld. Mac News, "Bagle.U Worm Spreads Despite Simplicity". 2004.03.26

Gary Warner. Birmingham Chapter of InfraGard Beagle Evolution: Observations on a Rapidly Changing Virus 2004.04.13

HP ProCurve Networking, Live Virus Testing with Virus Throttle Technology. 2008.07

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.