high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 24 December 2004 16:41:53 (GMT) |
| Last updated | 26 January 2005 10:10:12 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Beaker-B is a mass-mailing worm.
W32/Beaker-B sends itself out in a ZIP file as an email attachment. Emails vary primarily according to the language settings on the infected system. In particular, emails take one of the following subject lines:
U wenst een gelukkig jaar!
deseja um ano feliz!
lei desidera un anno felice!
Vous desirez une annee heureuse!
You desire a happy year!
Te deseo un feliz a
The message text contains one of the following strings:
Vrolijke Kerstmis!!
Natal feliz!!
Buon Natale!!
Merry Christmas!!
Joyeux Noel!!
Feliz Navidad!!
The attachment takes one of the following filenames:
Brief_Kerstmis5.zip
Natal_de_letra1.zip
Natale_di_lettera21.zip
letter_Christmas512.zip
marquer_Noel578.zip
carta_navidad551.zip
The email will spoof the sender's email address, selecting a name from a predefined list.
The worm also attempts to copy itself to the following locations, overwriting any files already present:
<Windows>\system32\dllcache\regedt32.exe
<Windows>\system32\regedt32.exe
<Windows>\system32\dllcache\taskmgr.exe
<Windows>\system32\taskmgr.exe
<Windows>\system32\dllcache\regedit.exe
<Windows>\regedit.exe
<Windows>\system32\cmd.exe
<Windows>\system32\dllcache\cmd.exe
<Windows>\PCHEALTH\HELPCTR\Binaries\msconfig.exe
<Windows>\$NtServicePackUninstall$\msconfig.exe
<Windows>\$NtServicePackUninstall$\cmd.exe
<Windows>\$NtServicePackUninstall$\regedit.exe
<Windows>\ServicePackFiles\i386\msconfig.exe
<Windows>\$NtServicePackUninstall$\taskmgr.exe
<Windows>\$NtServicePackUninstall$\wupdmgr.exe
<Windows>\ServicePackFiles\i386\regedit.exe
<Windows>\ServicePackFiles\i386\taskmgr.exe
<Windows>\ServicePackFiles\i386\cmd.exe
<Windows>\system32\dllcache\wupdmgr.exe
<Windows>\system32\wupdmgr.exe
<Windows>\system\msconfig.exe
<Windows>\system\systray.exe
<Windows>\wupdmgr.exe
<Windows>\command.com
Email addresses to send to are are harvested from files on the infected system.
The worm also attempts to connect to one of the following URLs using Internet Explorer:
www.libertyhill.txed.net/schools/Intermediate/specials/Assets/navidad.gif
www.anaescribe.mibitacora.com/sanber%20navidad.gif
www.cica.es/~masa/tvs/navidad/navidad2b.gif
W32/Beaker-B will set the following registry entries to ensure that it will be executed on system retart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<5 random letters>
<path to worm EXE in system folder>
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<5 random letters>
<path to worm EXE in system32 folder>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<5 random letters>
<path to worm EXE in Windows\Tasks folder>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<5 random letters>
<path to worm EXE in Windows\Fonts folder>
|
