病毒名称:
Worm.Bagz.g
类别: 蠕虫病毒
病毒资料:
破坏方法:
一个用VC编写的蠕虫病毒,采用Upx压缩
病毒行为:
病毒运行后将自己复制到%system%目录下,文件名为TRACE32.exe并将自己注册成服务以达到随系统启动的目的。
病毒驻留内存后将做以下动作:
1.修改hosts文件
病毒将在hosts文件里加入以下网站,使之指向127.0.0.1
www3.ca.com
www.viruslist.ru
www.trendmicro.com
www.symantec.com
www.sophos.com
www.networkassociates.com
banners.fastclick.net
banner.fastclick.net
awaps.net
avp.ru
avp.com
avp.ch
atdmt.com
ar.atwola.com
ads.fastclick.net
ad.fastclick.net
ad.doubleclick.net
.....
2.遍历删除一些特定的系统服务。
病毒将遍历系统的服务,并将服务文件名为以下字串的服务删除。
\qconres.dll
\ptchinst.dll
\probegse.dll
\ftscnres.dll
\emscnres.dll
\edisk.dll
\ashldres.dll
\appinit.ini
\804mbd1.img
\804mbd1.chk
\mgHtml.exe
\mcinfo.exe
\mcappins.exe
\dunzip32.dll
\mvtx.exe
\mpfwizard.exe
\mpfupdchk.dll
\mpfui.dll
\mpftray.exe
\mpfservice.exe
\mpfconsole.exe
\mpfagent.exe.....
3.遍历删除注册表键值。
病毒遍历以下几个主键里的所有注册表键值,并在其中搜索一些在病毒体内保存的字串,当病毒发现存在这些字串时,病毒将该注册表键删除。
HKEY_CLASSES_ROOT,
HKEY_CURRENT_USER,
HKEY_LOCAL_MACHINE,
HKEY_USERS,
HKEY_CURRENT_CONFIG
病毒体内保存的子串:
\cfgwiz.exe
\ccimscn.exe
\ccimscan.dll
\ccavmail.dll
\bootwarn.exe
\avres.dll
\avcompbr.dll
\apwutil.dll
\apwcmdnt.dll
\aboutplg.dll
\zlparser.dll
\vsvault.dll
\vsruledb.dll
\vsmon.exe
\vsdb.dll
\vsavpro.dll
\ssleay32.dll
\cerbprovider.pvx
\camupd.dll
\zonealarm.exe
\zauninst.exe
\zatutor.exe
\tutorwiz.dll
\security.zap
\programs.zap
\idlock.zap
\framewrk.dll
\firewall.zap
\filter.zap
\email.zap
\alert.zap
\mcurial.dll
\mcshield.exe
\mcscan32.dll
\mcmnhdlr.exe
\mcavtsub.dll
\imscnres.inf
\imscnbin.inf
\ftscnres.dll
\emscnres.dll
\edisk.dll
\ashldres.dll
\mghtml.exe
\mcinfo.exe
\mcappins.exe
\dunzip32.dll
\mvtx.exe
\mpfwizard.exe
\mpfupdchk.dll
\mpfui.dll
\mpftray.exe
\mpfservice.exe
\mpfconsole.exe
\mpfagent.exe .....
4.邮件传播:
病毒搜索C:盘里的后缀为TBB,tbb,TBI,tbi,DBX,dbx,HTM,htm,TXT,txt的文件,并尝试从中提取email地址。随后将等待一个有效的网络联接时对其进行邮件传播。
病毒将跳过邮件地址中含有以下字串的邮件地址,以避免过早被反毒软件厂商获得病毒。
support@
support
sopho
samples
root@
rating@
postmaster@
panda
ntivi
noreply
noone@
nobody@
netadmin@
local
listserv
Linux
info@
icrosoft
hostmaster@
help@
gold-certs@
gold-
free-av
feste
f-secur
contract@
contact@
certs@
certific
cafee
bugs@
anyone@
administrator@
admin
abuse
@microsoft
@messagelab
@iana
邮件标题:
Money
Office
Have a nice day
Hello
Russian's
Amirecans
attachments
attach
waiting
best regards
Administrator
Warning
Vasia
re: Andrey
re: please
re: order
Allert!
....
邮件内容:
Did you get the previous document I attached for you?
I resent it in this email just in case, because I
really need you to check it out asap.
Best Regards
I made a mistake and forgot to click attach
on the previous email I sent you. Please give me
your opinion on this opportunity when you get a chance.
Best Regards
I was supposed to send you this document yesterday.
Sorry for the delay, please forward this to your family if possible.
It contains important info for both of you.
Sorry,
病毒的清除法:
使用光华反病毒软件,彻底删除。
病毒演示:
病毒FAQ:
Windows下的PE病毒。
发现日期:
2003-11-3
