CAN20041101a
New Beagle Worm Variant in Wide Distribution
Beagle.AV Marks 48th Variant of Worm
Dates & Revisions
- Original CAN date: November 1, 2004
- Latest revision: November 1, 2004
Systems Affected
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT
- Microsoft Windows 2000
- Microsoft Windows XP
- Microsoft Windows Server 2003
Problem Overview
A new variant of the Beagle worm known as
Beagle.AV has been discovered in the wild. Like the original Beagle worm, this variant can replicate itself so quickly that it can
overload e-mail servers, but this newest variant also has the
ability to stop anti-virus software from running on infected computers.
Additionally, the Beagle.AV worm opens a backdoor into
systems that do not protect TCP port 81 via a firewall, making it possible for a
hacker to gain access to infected systems.
The Beagle.AV worm arrives as an e-mail attachment.
Once that attachment is opened/executed, the worm quickly tries to send
itself to most e-mail addresses it finds
on the infected machine. The massive amounts of e-mail
generated by this worm can overload e-mail servers and steal most of the
Internet bandwidth available to the infected computer.
E-mails generated by this worm
will have spoofed "from" addresses so the true sender cannot be detected.
The Beagle.AV e-mail message appears as:
-
From: Spoofed address (the sender in the "From"
field is most likely not the real sender).
-
- Subject (contains one of the
following lines):
Re:
Re: Hello
Re: Hi
- Re: Thank you!
Re: Thanks :)
- Body (contains one of the following
messages):
:))
-
- Attachment (one of the following
file names with a .com, .cpl, .exe, or .scr file extension. Be aware that
the file extension may not appear depending on your computer settings):
Price
price
joke
In some cases, the e-mail will include an attachment consisting of a small
junk file (approximately 2000 bytes) instead of the worm itself.
If you receive such a message, do NOT open the
attachment.
Problem Details
For detailed technical descriptions of the problem, please
review the following links:
Please note that the organizations
controlling the content of the web sites referenced by these links may
periodically update the information on their sites as new details about the
severity of the threat become known.
What Should I Do?
You should immediately:
- review the bulletins listed above and
- delete any such e-mail which you
receive without opening the attachment, and
- update your anti-virus software with
the latest available signature files.
What If I Am Unable To Fix The Problem?
If you are unable to correct these problems yourself or
are unsure how to proceed, contact Logical
Operators by clicking here and arrange to have one of our service
technicians check your system and apply the corrections for you (standard
service fees will apply). In addition to correcting the problem(s) listed in
this CAN, our technicians can also test your system for thousands of other known
threats which may be present on your system, make valuable recommendations on
securing your system from future threats, and perform numerous
other computing services.
|
Related
Information:
|
|
|
Recent CAN Newsletters:
|
|
|
Recent CANs:
|
|
|
