Trace infected machine on network.  Beagle virus.

Posted on 2005-05-04
Last Modified: 2013-12-04
It appears that we have a machine on our network that is infected with the beagle virus.  We believe this because our T1 provider is sending us emails stating that emails are being sent out from one of our external IP's that contain the beagle virus.  We have also gotten bouce backs from companies that no one here has sent emails to, and those emails contained the beagle virus.  We have Symantec AV running on all of the machines, but we have no scheduled scans set up on them as of yet.  And since we are running the SP2 firewall, we can't gain access to the local symantec remotely.  The IP address that these are getting sent out with is consistent with the one that our regular traffic uses, not the IP of our exchange server.  So, is there a way that we can track this computer down?  Thanks for the help.  Let me know if you need any more information.
Question by:nextnet
    LVL 13

    Accepted Solution

    You didn't mention how many computers you have so this may be extremely tedious. Depending on which variant it is, you can use tasklist to remotely find which machine is running the process; for example, in one variant the executable is simply called BBEAGLE.EXE:

    tasklist /s MACHINENAME /fi "imagename eq BBEAGLE.EXE"

    That could be tricky since there are many variants of beagle, each one running under a different process name (in fact, one of them is a dll that injects itself into Explorer.exe!).

    Also, one of the "features" of the Beagle family is that they can shut off AV software; you could use this same method to find a machine that is NOT running NAV. I'm assuming you don't have the enterprise version of NAV or the System Center Console so you can't initiate a scan that way.

    You can also shut off the SP2 firewall service remotely so you can initiate full scans. Use Computer Management, or with psexec from sysinternals. Get it here:

    It's just an executable; no installation is necessary. Once you have it copied to your executable path, enter:

    psexec \\machinename net stop "windows firewall/Internet Connection Sharing (ics)"

    That will run the Net Stop command on the remote machine. Then you can get in there and see what's up.

    LVL 38

    Assisted Solution

    by:Rich Rumble
    Yes, the first thing to do is to turn off the xp firewall's, this can be done in your AD policies much easier
    With a GroupPolicy you can also set the firewall up in such a way that you can remotely administer the machines, and don't necessarily have to turn the firewall completely off.
    To use built-in commands you can do the following (requires admin rights)
    netsh firewall set opmode mode = disable   (you can also use enable to turn it back on)

    here are some scripts to help administer the xp firewall, they also require admin rights to be effective

    OR have your users run the program here: (and the fix afterward )
    This should detect all the beagle variants. Now before you remove any viri or even spyware for that matter, with XP machine SYSTEM RESTORE MUST BE OFF FIRST

    Another effective tool, just incase it's not beagle, but a virus similar, try McAfee's Stinger:
    Remember, system restore must be Off BEFORE removing the viri. Get those updates and scans scheduled!


    Author Comment

    We have around 120 users and we do have enterprise edition.  I have already made a GP to open up the specific ports and programs on the XP firewall.  I have also created a group now in symantec that will be scanning our computers nightly.  Hopefully that will show something.  Searching computer by computer for the BBeagle.exe probably isn't going to happen unless we have exhausted other faster options.  Updates are already scheduled so that shouldn't be a problem.  Thanks for the input.  Is there any way of monitoring the network traffic to see who is sending these emails out?  It seems to be a rather constant thing.
    LVL 38

    Expert Comment

    by:Rich Rumble
    Yes if you set up Snort, or another IDS system and have a signature for it. You could also just use ethereal and a spanned port to find it, as setting up snort can take quite some time.

    If you have cisco switches this is the command on the catalyst series for spanning a port (also known as port mirroring)
    set span 3/24 4/45
    blade 3 port 24 would be the source port, where your firewall or router plugs in, and blade 4 port 45 would be the spot you have the sniffer plugged into. (just an example)
    So every packet that is sent to/from port 3/24 is mirrored and also sent to port 4/45 so you can see what coomputer is sending what and where.
    You'd fire up ethereal, and look for unauthorized useage of port 25 as a destination.

    To make it easier to look for, use the following as your captrure filter

    dst port 25 ! host
    This capture filter says, look for packets that have a destination port of 25, but NOT from this host replace with the ip of your mail server, this should cut down on false positives, or ignore your mail server ip's and just look for who is sending to   dst port 25   only.
    dst port 25

    Here is a capture filter tutorial:

    Here are some different capture filters- THE EXAMPLES PROBABLY HELP MORE
    RULE                          EXAMPLE  /  SYNTAX HELP
    host host            host is either the ip address or host name "host FRED" is the same as "host"
    src host host              Capture all packets where host is the source "src host FRED is the same as src host"
    dst host host            Capture all packets where host is the destination
    host                   Capture all packets to and from
    src host                   Capture all packets where is the source
    dst host                   Capture all packets where is the destination
    Port filtering:
    Syntax Description
    port port                         Capture all packets where port is either the source or destination  
    src port port                         Capture all packets where port is the source port
    dst port port                         Capture all packets where port is the destination port
    port 80                         Capture all packets where 80 is either the source or destination port
    src port 80                         Capture all packets where 80 is the source port
    dst port 80                         Capture all packets where 80 is the destination port
    Network filtering:
    Syntax Description
    net net                         Capture all packets to/from net
    src net net                         Capture all packets where net is the source
    dst net net                         Capture all packets where net is the destination
    net 192.168                         Capture all packets where the network is
    src net 192.168                   Capture all packets where the network is the source
    dst net 192.168                   Capture all packets where the network is the destination
    Protocol Based Filters
    Ethernet Based:
    Syntax Description
    ether proto \[primitive name]
    ether proto \ip or just ip             Capture all ip packets
    ether proto \arp or just arp             Capture all address resolution protocol packets
    ether proto \rarp or just rarp             Capture all reverse arp packets
    IP Based:
    Syntax Description
    ip proto \[primitive name]
    ip proto \tcp or just tcp             Capture all TCP segments (packets)
    ip proto \udp or just udp             Capture all UDP packets
    ip proto \icmp or just icmp             Capture all ICMP packets
    Combining Primitive Expressions
    You may combine primitive expressions using the following:
    Negation: ! or not
    Concatenation: && or and
    Alternation: || or or
    host && ! net 192.168       Capture all packets to/from that are not to/from
    host && port 80             Capture all packets to/from and are sourced/destined on 80
    Remember you can filter with "NOT" as well.
    port 4444 or port 69 and not port 1433 and not port 1159

    tcp port 4444 ! port 135 (capture all traffic with 4444 in the dest/src and not going to port 135 udp or tcp)

    Author Comment

    I split the points.  The virus actually started sending emails internally, so we where able to look at the header and it contained the IP address of the infected computer.  I will give that port mirroring a try for future issues.  Thanks.
    LVL 13

    Expert Comment

    Ah; didn't know you were on AD. Yeah; 120 machines would make it a bit tedious, especially since you don't yet know which variant it is. Well, hopefully the full scan will catch it, unless it has disabled the AV software.

    Ethereal ( is a free, open-source packet sniffer that you can use to see (among many other things) which machine is sending out tons of SMTP traffic. You'll need to place the network interface of whatever machine you deisgnate as the sniffer into promiscuous mode so it will see all traffic (not just broadcast and multicast traffic).

    If you have a switched network (and who doesn't these days), you'll need to setup a way to sniff unicast packets. Some switches can replicate all traffic on all ports to a single port so you can plug your analyzer into that port to sniff your entire network. Check the documentation for your switch to see if this is possible with your equipment (most Cisco switches support this).

    Or, if you have one around, you can stick a regular (non-switched) hub between your network firewall and internet gateway; then plug your sniffer machine into that.

    LVL 13

    Expert Comment

    Oops; that's what I get for not refreshing a page before hitting submit...


    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Windows XP risk 8 33
    Forensic audit of SBS 2008 3 49
    Monitoring software... 2 30
    How to implement SSO? 22 48
    In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
    Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now