Worm: Win32.HLLM.Beagle

Description

Win32.HLLM.Beagle is a family of mass-mailing Internet worms that spread by email using addresses obtained from the infected computer. The worm randomly selects one of the addresses it finds as the "From:" address: therefore the apparent sender of the infected email is not the real sender and their computer is probably not infected.

The subject header of the message is randomly chosen from a large number of strings. The message text is also randomly chosen. In some variants, the text looks like a system-generated error report, in others it is of a chatty nature. (One variant sends emails with a blank subject line and no body text.)

In most variants, the worm is contained in an executable file attachment, whose name is also chosen from a long list of possible names. It may or may not have a double extension (like mp3.pif) and it may be contained in a Zip or Rar archive, which in some variants may be password protected. The attachment may have an icon to make it look like a harmless file (e.g. text file or sound clip) and the message text may consist of an invitation to open it. W32/Bagle.V sends an attachment named game.exe.

Some variants of the worm exploits a security flaw in Microsoft Outlook / Outlook Express (for which a security patch is available from Microsoft) to try to download the worm from a remote site instead of including it in an attachment.

If activated, the worm copies itself to the hard disk and installs a Registry entry so that it is run automatically at startup. The worm then executes in order to propagate using the method described above. The worm creates a number of other files.

The Win32.HLLM.Beagle worms install a backdoor into the system, which listens on a TCP port for incoming connections. The worm attempts to report its presence to a remote site, in order to alert potential hackers to the backdoor's existence.

Some variants parasitically infect other executable files on the system by adding virus code to them, so that the virus is activated whenever one of the infected files is run.

Prevention

To prevent another infection by Win32.HLLM.Beagle worms or similar viruses:

Removal

Manual removal

To remove the Win32.HLLM.Beagle worm manually:

Automated removal

To remove the virus Win32.HLLM.Beagle please see our tutorial Help! I've got a virus!

More information

Buy Kaspersky Anti-Virus