The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

CME-473: Beagle/Bagle worm variant (11/22/2004)

CME-473: Beagle\Bagle worm variant

Date added to list: 11/22/2004


Removal Tools:

Virus Characteristics(from sources above):

  1. Creates these files :
    • %System%\wingo.exe
    • %System%\wingo.exeopen
    • %System%\wingo.exeopenopen
  2. May also create these files:
    • %System%\wingo.exeopenopenopen
    • %System%\wingo.exeopenopenopenopen
  3. Creates the following Registry key
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      Run “wingo” = C:\WINNT\SYSTEM32\WINGO.EXE
  4. Adds the value
    • “Timekey” = “[Random variables]” to HKEY_CURRENT_USER\Software\Microsoft\Params
  5. Termitates processes of security programs
  6. Tries to download and run that %System%\re_file.exe file from various websites coded into the virus.
  7. Searches the hard disk for folders containing the string “shar” and copies various files that are infected with the virus as to spread through peer-to-peer networks
  8. Tries to stop operating system services:
    • SharedAccess” – Internet Connection Sharing
    • “wscsvc” – MS security center
  9. Opens backdoors on TCP port 81
  10. Deletes values from the Run section of the Registry, pertaining to certain security programs, to prevent them from running at startup
  11. Searches for e-mail addresses contained in various files located on infected computer.
  12. Use its own built in SMTP server to send e-mails with spoofed addresses that it found on the infected computer, but skipping some with that contain certain strings. These e-mails have a .com, .cpl, .exe, or, . scr file extension and are infected by the virus.
  13. Also deletes registry entires related to the Netsky virus, and creates mutexes to keep that virus from running and to keep multiple copies of itself from running.

Trend Micro Behavior Diagram
Trend Micro Behavior Diagram

Please report in errors or broken links in the comments section.


November 29, 2005 Posted by | CME Listings | Leave a comment