- Virus type: Family of mass-mailing worm
- Affects: Windows 95 and up
- Other names for Win32.HLLM.Beagle: W32/Bagle, I-Worm.Bagle, Worm_Bagle
Win32.HLLM.Beagle is a family of mass-mailing Internet worms that spread by email using addresses obtained from the infected computer. The worm randomly selects one of the addresses it finds as the "From:" address: therefore the apparent sender of the infected email is not the real sender and their computer is probably not infected.
The subject header of the message is randomly chosen from a large number of strings. The message text is also randomly chosen. In some variants, the text looks like a system-generated error report, in others it is of a chatty nature. (One variant sends emails with a blank subject line and no body text.)
In most variants, the worm is contained in an executable file attachment, whose name is also chosen from a long list of possible names. It may or may not have a double extension (like mp3.pif) and it may be contained in a Zip or Rar archive, which in some variants may be password protected. The attachment may have an icon to make it look like a harmless file (e.g. text file or sound clip) and the message text may consist of an invitation to open it. W32/Bagle.V sends an attachment named game.exe.
Some variants of the worm exploits a security flaw in Microsoft Outlook / Outlook Express (for which a security patch is available from Microsoft) to try to download the worm from a remote site instead of including it in an attachment.
If activated, the worm copies itself to the hard disk and installs a Registry entry so that it is run automatically at startup. The worm then executes in order to propagate using the method described above. The worm creates a number of other files.
The Win32.HLLM.Beagle worms install a backdoor into the system, which listens on a TCP port for incoming connections. The worm attempts to report its presence to a remote site, in order to alert potential hackers to the backdoor's existence.
Some variants parasitically infect other executable files on the system by adding virus code to them, so that the virus is activated whenever one of the infected files is run.
To prevent another infection by Win32.HLLM.Beagle worms or similar viruses:
- Be suspicious of emails from unknown sources containing executable attachments. See How to detect Internet worms.
- Use a good anti-virus such as Kaspersky AntiVirus or Dr.Web anti-virus.
- Keep up-to-date with Internet Explorer security patches.
- Block inbound and outbound connections on TCP port 81 using your firewall, to prevent newer variants from downloading the worm from an external server.
To remove the Win32.HLLM.Beagle worm manually:
- Use a virus scanner to determine the identity of the executable file containing the worm, then use the Windows Task Manager to terminate it.
- Using the Registry Editor, expand HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and/or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, and delete the value containing a path to the file identified above.
- Restart Windows.
- Disable System Restore, in order that copies of the worm are not saved to the restore folder. (Note: this may cause Windows to restart and you will lose your earlier restore points.)
- Delete the randomly-named worm executable file from the Windows/System32 folder.
- Update and run your virus scanner to remove any other worm files from the system.
- Re-enable System Restore and force a restore point.
To remove the virus Win32.HLLM.Beagle please see our tutorial Help! I've got a virus!