From Sophos: Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the February 2004 (3.78) release of Sophos Anti-Virus.
At the time of writing Sophos has received no reports from users affected by this Trojan. However, we have issued this advisory following enquiries to our support department from customers.


Description
Troj/Beastdo-M is a backdoor Trojan which creates several invisible threads within other processes which allow unauthorised remote access to the computer over a network.
The Trojan moves itself to either the Windows or Windows\System folder as a file of the form MS????.COM where question marks denote random characters. It also copies itself to the Windows\Command folder (under Windows 95/98/Me) or the Windows msagent folder (under systems based on Windows NT) as MSCVNK.COM.

The Trojan adds to the following registry entries to run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

and

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Troj/Beastdo-M also points the following entry in the registry to a copy of the Trojan:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Systemb

The Trojan drops a DLL component within the Windows folder that has the default filname of DXDGNS.DLL though this can be redefined by the user.

Troj/Beastdo-M may open a port on the computer that listens for commands from a remote location. The number of the port is again determined by the Trojan user.

Under Windows 95/98/Me the Trojan includes its own code within the running processes SYSTRAY.EXE and IEXPLORER.EXE, EXPLORER.EXE or any other executable that may be chosen by the user. Under systems based on Windows NT the process WINLOGON.EXE is used instead of SYSTRAY.EXE.

Troj/BeastDo-M creates the registry entry

HKCU\Software\Microsoft\RAS Autodial\Control\LoginSessionDisable = 1

The Trojan may attempt to send a confirmation email message to an external address.


Recovery
Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor and reboot your computer.