Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Virus/Worm?

Status
Not open for further replies.

Bell1991

Programmer
Aug 20, 2003
386
US
I have a question regarding a worm i thought my friend had on their computer called W32.Beagle.AR@mm (actually i have seen it called other names). Anyway, i keep getting emails from this individual and I know the computer has not even been turned on for about a week and I continue to get emails from them (about 5 a day). I suspect someone else has the worm/virus and somehow the return address is set up to my friend to is her email. Does that make sense? Is there anyway to find out who the email is really from? or make the emails stop?

Thanks,
-Bell
 
McAfee calls this one "W32/Bagle.az@MM", and you called it correctly. A third party has the virus, and it is spoofing the address fields.

Some info from their web site:

This is a mass-mailing worm with the following characteristics:

* contains its own SMTP engine to construct outgoing messages
* harvests email addresses from the victim machine
* the From: address of messages is spoofed
* contains a remote access component
* copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject :

* Re:
* Re: Hello
* Re: Thank you!
* Re: Thanks :)
* Re: Hi

Body Text:

* :)
* :))

Attachment: (with an extension of .exe, .scr, .com or .cpl)

* Price
* price
* Joke

The virus copies itself into the Windows System directory as BAWINDO.EXE. For example:

* C:\WINDOWS\SYSTEM32\bawindo.exe

It also creates other files in this directory to perform its functions:

* C:\WINDOWS\SYSTEM32\bawindo.exeopen
* C:\WINDOWS\SYSTEM32\bawindo.exeopenopen

The following Registry key is added to hook system startup:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "bawindo" = "C:\WINDOWS\SYSTEM32\bawindo.exe"

A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

* 'D'r'o'p'p'e'd'S'k'y'N'e't'
* _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
* [SkyNet.cz]SystemsMutex
* AdmSkynetJklS003
* ____--->>>>U<<<<--____
* _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

The worm opens port 81 (TCP) and a random UDP port on the victim machine.

"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."

"Trent the Uncatchable" in The Long Run by Daniel Keys Moran
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top