-- Update January 23, 2004 --
The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.
-- Update January 22, 2004 --
AVERT has received a slightly modified sample of this worm, which is detected with the same DATs and Engine as the initial variant. No field submissions of this modified sample have been received at the time of writing.
This is a mass-mailing worm with a remote access component. The worm arrives in an email message with the following characteristics:
(address may be forged)
(random filename) 15,872 bytes
When the attachment is run, the virus checks the system date. If the date is January 28, 2004 or later, the virus simply exits and does not propagate. Otherwise, the virus executes the standard Windows calculator program CALC.EXE. Meanwhile, the virus copies itself to the WINDOWS SYSTEM directory (%SysDir%) as bbeagle.exe
, and creates a registry key to load itself at system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "d3dupdate.exe" = C:\WINNT\System32\bbeagle.exe
Two additional keys are created:
- HKEY_CURRENT_USER\Software\Windows98 "frun"
- HKEY_CURRENT_USER\Software\Windows98 "uid"
The worm harvests addresses from the following files and mails itself to those recipients, using its own SMTP engine.
The virus spoofs the sender address by using a harvested address in the FROM field. The first message sent by the virus uses the same harvested address in the TO and FROM fields. The second message is sent to a different address, while the FROM field remains the same. The third message is sent to a third address, and the FROM field contains the second address and so on.
The virus does not mass-mail itself to addresses that contain one of the following strings:
Remote Access Component
The virus listens on TCP port 6777 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.