W32.Beagle family of worms

Discovery began in January 2004
aka: W32.Bagle family of worms

W32.Beagle family of worms are mass-mailing worms that open a backdoor on TCP ports 1080, 1234, 2745, or 4751. The worm uses its own SMTP engine for email propagation. It can also send to the attacker the port on which the backdoor listens, as well as a randomized ID number.

The email's subject line, body, and attachment name vary. The attachment will have a .com, .cpl, .exe, .hta, .scr, .vbs, or .zip file extension.

The W32.Beagle.AO@mm (aka: price.zip) worm also opens a backdoor on UDP and TCP port 80.


There is a removal tool for the more common variants of the Beagle worm. For more information about the removal tool, please visit the W32.Beagle removal tool website.

You can find more information and removal instructions as tools for each variant from Symantec from the following links: