Released: March 4, 2004
Description of the W32.Beagle.K@mm worm
The W32.Beagle.K@mm worm is:
- Is a variant of W32.Beagle.J@mm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email.
- Sends the attacker the port on which the backdoor listens, as well as the IP address.
- Attempts to spread through file-sharing networks, such as Kazaa and iMesh, by dropping itself into the folders that contain "shar" in their names.
||Spoofed to appear as though it's coming from the one
of the following addresses at the recipient's domain, including
management@ administration@ staff@ noreply@ and support@ etc.|
||Random (may contained the following subjects) like:
E-mail account disabling warning.
E-mail account security warning.
Email account utilization warning.
Important notify about your e-mail account.
Notify about using the e-mail account.
Notify about your e-mail account utilization.
Warning about your e-mail account.
||May contain the following message:
- Dear user of some_domain,
- Dear user of e-mail server "some_domain",
- Hello user of some_domain e-mail server,
Followed by one of the following paragraphs:
Your e-mail account has been temporary disabled because of unauthorized access.
- Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
- Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.
A randomly named .exe file, stored inside a .zip file,
or a .pif file. The .zip file may be password-protected,
though Symantec antivirus products will detect these files.
File with the following names: Attach, Information,
Readme, Document, Info, TextDocument, TextFile, MoreInfo or
Please note that the W32.Beagle@mm worm is also known by other names,
including Win32.Bagle.K, Bagle.K, W32/Bagle.k@MM, W32/Bagle.K.worm,
W32/Bagle-K, Worm_Bagle.K etc.
More information and removal instructions
More about W32.Beagle@mm from Symantec