View Full Version : What is W32.Beagle.M@mm and how does it affect me?


Andrew
03-16-04, 09:46 PM
W32.Beagle.M@mm is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email. It also sends the attacker the port on which the backdoor listens, as well as the IP address.

The email attachment is a randomly named .exe file inside a .zip file. The embedded .exe file is password-protected with a random password.

W32.Beagle.M@mm also attempts to spread across file-sharing networks, such as Kazaa and iMesh, by dropping itself into the directories that contain "shar" in their names.

This variant also contains a file infection routine that infects portable executable files with a .exe extension.

Tara
03-16-04, 10:30 PM
I got 10 of them sent to me this evening!

Andrew
03-16-04, 10:32 PM
Yeah, this one is pretty virulent.

codeman38
03-16-04, 11:10 PM
Hm. Usually I get hit in droves by these things, but I've managed to avoid this particular infestation so far...

Personally, I think the worst part of these viruses is the insane amount of bandwidth wasted in downloading the infected e-mails...

Andrew
03-16-04, 11:19 PM
Agreed.

codeman38
03-16-04, 11:49 PM
Even worse are the mail servers which bounce virus-infected messages back to the apparent sender rather than simply rejecting them. Even worse if they actually leave the virus intact, as has been the case with a few servers I've received warnings from...

...Mrgh. As a web designer and programmer, I get very annoyed by these things. When will people learn not to open random executable attachments?

Andrew
03-16-04, 11:57 PM
Heh...I work in the security space, and people in my company should know better too, y'know?

HighFunctioning
03-19-04, 09:15 PM
It is quite insane at times. I wish system administrators actually knew more about virii. Virii in the form of PE/NE/LE executables are generally easy to identify. I seriously wouldn't trust anything that is unpacked on the fly. I am sure there are legitamate programs like this, but most aren't. Plus, if anyone sends a non-exe executable type (.lnk, .pif, etc.) that looks like an exe on the inside, it is obviously malicious. I tried to tell the sysadmin at my school this, but as usual, I am ignored.

Not that I would expect a normal user to do this, however, I would expect a sys admin to do this if they are unaware as to what the attachment really is, as opposed to simply claiming that the attachment seems a bit suspicious.

codeman38
03-20-04, 02:03 AM
HighFunctioning: Personally, I don't think Windows should be able to execute random non-.exe types as if they were actual .exe files-- that would prevent far too many of the virus exploits that are out there-- but I'm sure Microsoft probably has their reasons for allowing such behavior...

HighFunctioning
03-20-04, 03:46 PM
Well, they have been doing this for a while. If you look at edit.com, it is really an EXE instead of a plain core image. Microsoft OS's do not identify executable types by extension, but my a magic identifier (somewhat like UNIX, except the case of batch files). In Microsofts case, it doesn't make sense as we already have an identifier (the extension) to determine the major executable type.

One possible real reason I could determine for such operation is to allow for the possibility of new executable types (whether binary or script) without having to come up with a new extension. Either that, or maybe they thought that they may as well check for any executable type as the binary loader has to check for other exe subtypes anyway (16-bit executables, for example, as all PE's are 32).

Sldr4Christ
03-20-04, 08:41 PM
that or just get a mac.. if you want security, and poor gaming...sripts, practically everything else ecept for graphic design.