Worm.Beagle.as是什么病毒 - shashadu.com 杀杀毒病毒库

Worm.Beagle.as 病毒信息
- 病毒别名：I-Worm.Bagle.as[AVP], W32/Bagle.az@MM [McAfee], WORM_BAGLE.AM [Trend]
  中文名称：恶鹰变种as
  威胁级别：★★
- 处理时间：N/A
  病毒类型：蠕虫
  影响系统：Win9x / WinNT
病毒行为：
该病毒为恶鹰家族的新变种。它会把自身复制到用户机器上包含"shar"字符串的文件夹内，文件名跟一些正常文件的文件名非常相似，以此来诱惑用户打开运行病毒程序。该病毒会向外发送大量的带毒邮件，严重的堵塞用户网络。建议用户开启防火墙来防止该病毒的侵入。

1.创建以下几个互斥量来防止NetSky病毒运行：
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

2.在被感染的机器上创建以下文件：
%System%\bawindo.exe.
%System%\bawindo.exeopen
%System%\bawindo.exeopenopen
%System%\re_file.exe

3.在注册表HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run中
增加"bawindo"="%System%\bawindo.exe"来确保自身能随计算机启动
4.从HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
删除包含以下字符串的键值：
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

5.在包含"shar"字符串的目录下创建文件，文件名可能为下列字符：
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

6.搜索以下列字符串为扩展名的文件来获得Email地址，并用自带的SMTP引擎发送带毒邮件
adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

7.病毒发送的带毒邮件具有如下特征：
发件人：伪造的
主题：
Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi

正文：
:)
:))

附件：
文件名可能为：
Price
price
Joke
扩展名可能为：
.com/.scr/.cpl

8.该病毒不会向包含以下字符串的邮件地址发送邮件
@avp.
@foo
@hotmail
@iana
@messagelab
@microsoft
@msn
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip

9.打开被病毒感染的主机的Tcp81和Udp81端口用来转发邮件

10.尝试从下列网站下载文件
www.24-7-transportation.com
www.DarrkSydebaby.com
www.FritoPie.NET
www.adhdtests.com
www.aegee.org
www.aimcenter.net
www.alupass.lu
www.amanit.ru
www.andara.com
www.angelartsanctuary.com
www.anthonyflanagan.com
www.approved1stmortgage.com
www.argontech.net
www.asianfestival.nl
www.atlantisteste.hpg.com.br
www.aviation-center.de
www.bbsh.org
www.bga-gsm.ru
www.boneheadmusic.com
www.bottombouncer.com
www.bradster.com
www.buddyboymusic.com
www.bueroservice-it.de
www.calderwoodinn.com
www.capri-frames.de
www.celula.com.mx
www.ceskyhosting.cz
www.chinasenfa.com
www.cntv.info
www.compsolutionstore.com
www.coolfreepages.com
www.corpsite.com
www.couponcapital.net
www.cpc.adv.br
www.crystalrose.ca
www.crystalrose.ca
www.cscliberec.cz
www.curtmarsh.com
www.customloyal.com
www.deadrobot.com
www.dontbeaweekendparent.com
www.dragcar.com
www.ecofotos.com.br
www.elenalazar.com
www.ellarouge.com.au
www.esperanzaparalafamilia.com
www.eurostavba.sk
www.everett.wednet.edu
www.fcpages.com
www.featech.com
www.fepese.ufsc.br
www.firstnightoceancounty.org
www.flashcorp.com
www.fleigutaetscher.ch
www.fludir.is
www.freeservers.com
www.gamp.pl
www.gci-bln.de
www.gcnet.ru
www.generationnow.net
www.gfn.org
www.giantrevenue.com
www.glass.la
www.handsforhealth.com
www.hartacorporation.com
www.himpsi.org
www.idb-group.net
www.immonaut.sk
www.ims-i.com
www.innnewport.com
www.irakli.org
www.irinaswelt.de
www.jansenboiler.com
www.jasnet.pl
www.jhaforpresident.7p.com
www.jimvann.com
www.jldr.ca
www.justrepublicans.com
www.kencorbett.com
www.knicks.nl
www.kps4parents.com
www.kradtraining.de
www.kranenberg.de
www.lasermach.com
www.leonhendrix.com
www.magicbottle.com.tw
www.mass-i.kiev.ua
www.mepbisu.de
www.mepmh.de
www.metal.pl
www.mexis.com
www.mongolische-renner.de
www.mtfdesign.com
www.oboe-online.com
www.ohiolimo.com
www.onepositiveplace.org
www.oohlala-kirkland.com
www.orari.net
www.pankration.com
www.pe-sh.com
www.pfadfinder-leobersdorf.com
www.pipni.cz
www.polizeimotorrad.de
www.programmierung2000.de
www.pyrlandia-boogie.pl
www.raecoinc.com
www.realgps.com
www.redlightpictures.com
www.reliance-yachts.com
www.relocationflorida.com
www.rentalstation.com
www.rieraquadros.com.br
www.scanex-medical.fi
www.sea.bz.it
www.selu.edu
www.sigi.lu
www.sljinc.com
www.smacgreetings.com
www.soloconsulting.com
www.spadochron.pl
www.srg-neuburg.de
www.ssmifc.ca
www.sugardas.lt
www.sunassetholdings.com
www.szantomierz.art.pl
www.the-fabulous-lions.de
www.tivogoddess.com
www.tkd2xcell.com
www.topko.sk
www.transportation.gov.bh
www.travelchronic.de
www.traverse.com
www.uhcc.com
www.ulpiano.org
www.uslungiarue.it
www.vandermost.de
www.vbw.info
www.velezcourtesymanagement.com
www.velocityprint.com
www.vikingpc.pl
www.vinirforge.com
www.wecompete.com
www.worest.com.ar
www.woundedshepherds.com
www.wwwebad.com
www.wwwebmaster.com

点击数：