W32.beagle.x@mm Viruses, Etc.

Full Version: W32.beagle.x@mm Viruses, Etc.

GovernmentSecurity.org > System Security > Beginners Section

niko

Jul 20 2004, 02:41 PM

I've gotten several emails with the W32.Beagle.X@mm worm, and some new variants attached.

I grabbed a live one on my VirtualPC, dumped it and disassembled it, and I came up with mostly the same information at Symantec has about the virus:

It opens a TCP port on 1080. It attempts to contact a large list of websites - however, the list is like: <address>/o.php. Most sites don't have an "o.php", so I'm not sure what it's trying to do, unless it's simply trying to hide the "real" address in this list.

I found the code for the SMTP engine, etc, not too complicated.

What I'm trying to understand is how the virus gets emails - I'm thinking it perhaps scans files on the current user's computer? I'll look into that some more - but what I was also thinking it that 1080 port - perhaps it talks to these websites in some fasion as to report itself as existing on a certain IP, so the spammers know a new system to attach to?

I haven't gone thru the whole URL list it tries to contact just yet, I've been opening them in a browser to see what I get.

I ran a dfind scan on a class B subnet and did find one 1080 port open....

-niko

phrozen77

Jul 20 2004, 02:45 PM

just as a random guess... 1080/tcp is a well-used proxy port if i recall right... so what you found maybe was a proxy of some sort, also the port the worm opens could be a proxy, just connect to it and see what it does...

niko

Jul 20 2004, 02:51 PM

Yea, I'm thinking the 1080 port is definitely a proxy, I telnetted to it on my VirtualPC, and as soon as you type a character, it disconnects you, so obvoiusly it watches for a magic value to come in first or something.

What I meant about the external website contacting, is possibly are they using the worm to contact certain websites in some fasion as to make the worm trackable? I mean an open port 1080 isn't much good if you don't know where the computer is ! So I'm thinking this list must be for tracking somehow.

CODE

W32.Beagle.AG@mm attempts to contact the following domains:

abtacha.wirebrain.de
begros.de
deepiceman.de
dfk-crew.clanintern.de
die-cliquee.de
edwinf.surfplanet.de
knecht.cs.uni-magdeburg.de
login.rz.fh-augsburg.de
niematec.de
obechmann.de
pe-data.de
people-ftp.freenet.de
people-ftp.freenet.de
people-ftp.freenet.de
ronnyackermann.de
sgi1.rz.rwth-aachen.de
symbit.de
tripod.de
web154.essen082.server4free.de
web216.berlin240.server4free.de
www.aachen.de
www.abacho.de
www.anwaltverein.de
www.aquarius.geomar.de
www.astronomie.de
www.atlantis-show.de
www.atlas-hannover.de
www.awi-bremerhaven.de
www.baden-wuerttemberg.de
www.bayerninfo.de
www.beck.de
www.berlinonline.de
www.bessy.de
www.bitburger.de
www.blk-bonn.de/
www.bmgs.bund.de
www.brigitte.de
www.bundesliga.de
www.calistyler.de
www.citypopulation.de
www.dar-fantasy.de
www.dasding.de
www.degruyter.de
www.destatis.de
www.dortmund.de
www.duden.de
www.dwelle.de
www.empire-show.de
www.eumetsat.de
www.europarl.de
www.expo2000.de
www.fernuni-hagen.de
www.finanznachrichten.de
www.firstgate.de
www.frankfurt-airport.de
www.frankfurter-buchmesse.de
www.freiburg.de
www.gantke-net.de
www.gelbeseiten.de
www.gtz.de
www.gutenberg2000.de
www.hannobunz.de
www.heidelberg.de
www.helmholtz.de
www.hosteurope.de
www.h-p-i.de
www.immobilienscout24.de
www.jugendherberge.de
www.kabel1.de
www.kalenderblatt.de
www.karlsruhe.de
www.king-alp.de
www.king-alp.de
www.klug-suchen.de
www.kompetenznetze.de
www.kompetenzz.de
www.krebsinformation.de
www.lords-of-havoc.de
www.lufthansa.de
www.lupo18t.de
www.mathguide.de
www.math-net.de
www.mdirk.de
www.medicine-worldwide.de
www.meinestadt.de
www.messe-duesseldorf.de
www.messe-muenchen.de
www.mohr.de
www.monster.de
www.munich-airport.de
www.mupad.de
www.murczak.de
www.murczak.de
www.niedersachsen.de
www.nuernbergmesse.de
www.onlinereviewguide.com
www.pcwelt.de
www.photokina.de
www.rapz-records.de
www.regtp.de
www.renewables2004.de
www.ruhr-uni-bochum.de
www.saarbruecken.de
www.saarland.de
www.schaubuehne.de
www.schulen-ans-netz.de
www.slowfood.de
www.staedtetag.de
www.stellenmarkt.de
www.stepstone.de
www.stifterverband.de
www.stricker-doerpen.de
www.studentenwerke.de
www.stufenlos-regelbar.de
www.stuttgart.de
www.stuttgarter-zeitung.de
www.superstar-nord.de
www.sysserver1.de
www.szakos.de
www.szakos.de
www.testdaf.de
www.tu-darmstadt.de
www.tu-dresden.de
www.tu-muenchen.de
www.umweltbundesamt.de
www.uni-bremen.de
www.unibw-muenchen.de
www.uni-duesseldorf.de
www.uni-duisburg-essen.de
www.uni-frankfurt.de
www.uni-jena.de
www.uni-mannheim.de
www.uni-marburg.de
www.uni-osnabrueck.de
www.uni-tuebingen.de
www.urlaubstage.de
www.vwschubert.de
www.webhits.de
www.wiley-vch.de
www.wissenschaft-online.de
zeus05.de
zille.cs.uni-magdeburg.de

It calls "/o.php" on all of these, which of course, does not exists on most, but I haven't tried them all.

I'm looking into it email gathering engine now (I guess it does scan your computer for addresses)

-niko

Jay

Jul 20 2004, 08:49 PM

QUOTE

What I'm trying to understand is how the virus gets emails

QUOTE

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm

http://us.mcafee.com/virusInfo/default.asp...&virus_k=126798

t0bban

Jul 20 2004, 09:53 PM

Damned virii and all, it's getting advanced

I'm lucky I'm updated with some new virus definitions..

Anyway, thanks for the posts, appreciate it. I'll look into this aswell :-)

niko

Jul 21 2004, 12:54 AM

OK yea I got it running in my VPC , and sniffed the packets it sent out, loaded up some of my own email addresses too so I could capture the email on the other end.

Yeah this worm is pretty "advanced" - but it's easy to modify, I can see why there are so many variants out there.

-niko

TRi

Jul 22 2004, 01:45 PM

QUOTE

What I meant about the external website contacting, is possibly are they using the worm to contact certain websites in some fasion as to make the worm trackable? I mean an open port 1080 isn't much good if you don't know where the computer is ! So I'm thinking this list must be for tracking somehow.

QUOTE

heise security

Beagle-Wurm legt Web-Server lahm [Update]

Der aktuelle Beagle-Wurm (je nach Firma AG, AH oder AI) versucht von einer ganzen Reihe von Web-Servern eine Seite "o.php" abzurufen. Vor allem kleinere Sites haben mittlerweile Probleme, die Last der Zugriffe zu verarbeiten und sind nicht oder nur noch schwer zu erreichen. Betroffene berichten von mehr als hundert Anfragen pro Sekunde.

Arne Oberdieck, technisch Verantwortlicher für den Schulen-ans-Netz-Server empfiehlt zwei Maßnahmen: Zum einen sollte man eine leere Datei "o.php" anlegen. Deren Auslieferung erzeugt deutlich weniger Systemlast als eine entsprechende Fehlermeldung (404). Des weiteren rät er geplagten Admins, in der Server-Konfiguration die KeepAlive-Funktion zu deaktivieren, was die Systembelastung weiter senkt. Nach diesen beiden Änderungen war zumindest der Schulen-ans-Netz-Server wieder erreichbar.

Update:
Der Administrator von BerlinOnline.de hat ähnliche Erfolge mit folgender Ergänzung zur Apache-Konfiguration erzielt:

<LocationMatch "^/o.php">
Order Allow,Deny
Deny from all
ErrorDocument 403 "Sorry
SetEnv nokeepalive
SetEnv downgrade-1.0
SetEnv force-response-1.0
</LocationMatch>

Michael Stegmann von Network Design hat auf dem von ihm betreuten IIS-Server .php auf ASP.NET umgeleitet. Er empfiehlt ebenfalls, statt eines Fehlers eine leere Datei zurückzuliefern, da Fehlerdokumente (Status 4xx) von Proxies und Caches nicht zwischengespeichert werden. Der folgende ASP-Code in "o.php" setzt deshalb extra ein hohes Verfallsdatum.

<%@ Page Language="C#" Debug="false" EnableSessionState="false"
EnableViewState="false" %>

<%
Response.Clear();
Response.ContentType = "text/plain";
Response.Cache.SetExpires(DateTime.Now.AddDays(30));
Response.Cache.SetCacheability(HttpCacheability.Public);
Response.Write("not allowed");
%>

That o.php access is just a simple way to get down websites

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.