W32.Beagle.K@mm is a variant of W32.Beagle.J@mm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email. It also sends the attacker the port on which the backdoor listens, as well as the IP address. W32.Beagle.J@mm also attempts to spread through file-sharing networks, such as Kazaa and iMesh, by dropping itself into the folders that contain "shar" in their names.
The email has the following characteristics:
From: spoofed to appear as though its coming from the one of the following addresses at the recipient's domain: management, administration, staff, noreply, support
Attachment: A randomly named .exe file, inside a .zip file, or an .pif file. The zip file will be password-protected.
Also Known As: Win32.Bagle.K [Computer Associates], Bagle.K [F-Secure], W32/Bagle.k@MM [McAfee], W32/Bagle.K.worm [Panda], W32/Bagle-K [Sophos], WORM_BAGLE.K [Trend Micro]
Type: Worm
Discovered on: March 03, 2004
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x
Above from Symantec's official page.
Also see our articles on Bagle/Beagle and MyDoom viruses.
Comments
Pete [03/03/2004 13:14]:
I've already seen emails from this worm at one client. Remember, there is NO DANGER to Mac OS or Mac OS X systems; you can delete these emails and attachments.
-p
Noah [07/06/2004 16:59]:
More variants. They just keep coming. . .
