What is it?
re_file.exe is associated with the w32.beagle.ar@mm mass mailing worm.
What does it do?
W32.Beagle.AR@mm is a mass-mailing worm that uses its own SMTP engine
to spread. The email attachment is a downloader, similar to the
Mitglieder family of Trojans, that downloads the worm from an external
source.
When W32.Beagle.AR@mm runs, it does the following:
- Creates seven mutexes with the following names, which prevent some variants of the W32.Netsky@mm family of worms from running:
- MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
- 'D'r'o'p'p'e'd'S'k'y'N'e't'
- _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
- [SkyNet.cz]SystemsMutex
- AdmSkynetJklS003
- ____--->>>>U<<<<--____
- _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
- Creates the following files:
- %System%�awindo.exe.
- %System%�awindo.exeopen (A copy of the worm with randomly appended data.)
- %System%�awindo.exeopenopen (A copy of the worm with randomly appended data.)
- %System%
e_file.exe
- Adds a value:
"bawindo"="%System%�awindo.exe"
to the registry key:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
Attempts
to create copies of itself in any folder that contains the characters
"shar". The files will have the following file names:
- Microsoft Office 2003 Crack, Working!.exe
- Microsoft Windows XP, WinXP Crack, working Keygen.exe
- Microsoft Office XP working Crack, Keygen.exe
- Porno, sex, oral, anal cool, awesome!!.exe
- Porno Screensaver.scr
- Serials.txt.exe
- KAV 5.0
- Kaspersky Antivirus 5.0
- Porno pics arhive, xxx.exe
- Windows Sourcecode update.doc.exe
- Ahead Nero 7.exe
- Windown Longhorn Beta Leak.exe
- Opera 8 New!.exe
- XXX hardcore images.exe
- WinAmp 6 New!.exe
- WinAmp 5 Pro Keygen Crack Update.exe
- Adobe Photoshop 9 full.exe
- Matrix 3 Revolution English Subtitles.exe
- ACDSee 9.exe
More info and Removal
@symantec
