W32.Beagle.FN@mm - 王朝网络

病毒名称:

W32.Beagle.FN@mm

类别：邮件病毒

病毒资料：

根据光华反病毒研究中心专家介绍，这是一个邮件病毒，长度 229,892 字节，感染 windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP 系统。它降低系统安全设置，使用自带的邮件发送引擎传播，下载执行其他病毒文件，当收到、打开此病毒后，有以下现象:

A 增加注册表项

"drv_st_key" = "％UserProfile％\Application Data\hidn\hidn2.exe"到 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

使得病毒每次开机后自动执行

B 生成文件

用户目录\Application Data\hidn\hidn2.exe - Copy of the worm

用户目录\Application Data\hidn\m_hook.sys - Detected as Trojan.Rootserv

系统盘\error.gif - Clean file

系统盘\temp.zip - PassWord protected zip file containing a copy of the worm and a clean dll file

C 增加键值 "FirstRun" = "1"

到 HKEY_CURRENT_USER\Software\FirstRuxzx

D 创建健值 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\m_hook

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_M_HOOK

安装木马

E 删除注册表项

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

F 通过连接 smtp 服务器 smtp.mail.ru 的 TCP 端口 25，测试网络连接

G 连接服务器 Google.com

217.5.97.137

H 连接以下地址，下载邮件列表，保存到 windows目录下的文件 elist.xpt

http://www.titanmotors.com/images/1/eml.[已删除]

http://veranmaisala.com/1/eml.[已删除]

http://wklight.nazwa.pl/1/eml.[已删除]

http://yongsan24.co.kr/1/eml.[已删除]

http://accesible.cl/1/eml.[已删除]

http://hotelesalba.com/1/eml.[已删除]

http://amdlady.com/1/eml.[已删除]

http://inca.dnetsolution.net/1/eml.[已删除]

http://www.auraura.com/1/eml.[已删除]

http://avataresgratis.com/1/eml.[已删除]

http://beyoglu.com.tr/1/eml.[已删除]

http://brandshock.com/1/eml.[已删除]

http://www.buydigital.co.kr/1/eml.[已删除]

http://amaramafra.sc.gov.br/1/eml.[已删除]

http://camposequipamentos.com.br/1/eml.[已删除]

http://cbradio.sos.pl/1/eml.[已删除]

http://c-d-c.com.au/1/eml.[已删除]

http://www.klanpl.com/1/eml.[已删除]

http://coparefrescos.stantonstreetgroup.com/1/eml.[已删除]

http://creainspire.com/1/eml.[已删除]

http://desenjoi.com.br/1/eml.[已删除]

http://www.inprofile.gr/1/eml.[已删除]

http://www.diem.cl/1/eml.[已删除]

http://www.discotecapuzzle.com/1/eml.[已删除]

I 搜索以下扩展名中的邮件地址

.wab

.txt

.msg

.htm

.shtm

.stm

.XML

.dbx

.mbx

.mdx

.eml

.nch

.mmf

.ods

.cfg

.ASP

.PHP

.pl

.wsh

.adb

.tbb

.sht

.xls

.oft

.uin

.cgi

.mht

.dhtm

.jsp

J 排除含有以下字符串的邮件地址

rating@

f-secur

news

update

anyone@

bugs@

contract@

feste

gold-certs@

help@

info@

nobody@

noone@

kasp

admin

icrosoft

support

ntivi

unix

bsd

Linux

listserv

certific

sopho

@foo

@iana

free-av

@messagelab

WinZip

google

WinRAR

samples

abuse

panda

cafee

spam

pgp

@avp.

noreply

local

root@

postmaster@

K 将病毒自身(保存在temp.zip 文件中) 发送到上述地址

邮件的特性如下:

发信人: [随机名称]

主题: [随机名称]

内容:

The password is: [图片名称]

Password -- [图片名称]

Use password [图片名称]

Password is [图片名称]

Zip password: [图片名称]

Zip archive password: [图片名称]

Password - [图片名称] to open archive.

Password: [图片名称]

附件: [随机名称].zip

[随机名称]为以下之一:

Ales

Alice

Alyce

Andrew

Androw

Androwe

Ann

Anna

Anne

Annes

Anthonie

Anthony

Anthonye

Avice

Avis

Bennet

Bennett

Christean

Christian

Constance

Cybil

Daniel

Danyell

Dorithie

Dorothee

Dorothy

Edmond

Edmonde

Edmund

Edward

Edwarde

Elizabeth

Elizabethe

Ellen

Ellyn

Emanual

Emanuell

Ester

Frances

Francis

Fraunces

Gabriell

Geoffraie

George

Grace

Harry

Harrye

Henrie

Henry

Henrye

Hughe

Humphrey

Humphrie

Isabel

Isabell

James

Jane

Jeames

Jeffrey

Jeffrye

Joane

Johen

John

Josias

Judeth

Judith

Judithe

Katherine

Katheryne

Leonard

Leonarde

Margaret

Margarett

Margerie

Margerye

Margret

Margrett

Marie

Martha

Mary

Marye

Michael

Mychaell

Nathaniel

Nathaniell

Nathanyell

Nicholas

Nicholaus

Nycholas

Peter

Ralph

Rebecka

Richard

Richarde

Robert

Roberte

Roger

Rose

Rycharde

Samuell

Sara

Sidney

Sindony

Stephen

Susan

Susanna

Suzanna

Sybell

Sybyll

Syndony

Thomas

Valentyne

William

Winifred

Wynefrede

Wynefreed

Wynnefreede

To the beloved

I love you

L 从以下地址下载病毒，保存在系统目录下为 re_file.exe 并执行。

http://ujscie.one.pl/888[已删除]

http://1point2.iae.nl/888[已删除]

http://appaloosa.no/888[已删除]

http://apromed.com/888[已删除]

http://arborfolia.com/888[已删除]

http://pawlacz.com/888[已删除]

http://areal-realt.ru/888[已删除]

http://bitel.ru/888[已删除]

http://yetii.no-ip.com/888[已删除]

http://art4u1.superhost.pl/888[已删除]

http://www.artbed.pl/888[已删除]

http://art-bizar.foxnet.pl/888[已删除]

http://www.jonogueira.com/888[已删除]

http://asdesign.cz/888[已删除]

http://FTP-dom.earthlink.net/888[已删除]

http://www.aureaorodeley.com/888[已删除]

http://www.autoekb.ru/888[已删除]

http://www.autovorota.ru/888[已删除]

http://avenue.ee/888[已删除]

http://www.avinpharma.ru/888[已删除]

http://ouarzazateservices.com/888[已删除]

http://stats-adf.altadis.com/888[已删除]

http://bartex-cit.com.pl/888[已删除]

http://bazarbekr.sk/888[已删除]

http://gnu.univ.gda.pl/888[已删除]

http://bid-usa.com/888[已删除]

http://biliskov.com/888[已删除]

http://biomedpel.cz/888[已删除]

http://blackbull.cz/888[已删除]

http://bohuminsko.cz/888[已删除]

http://bonsai-world.com.au/888[已删除]

http://bpsbillboards.com/888[已删除]

http://cadinformatics.com/888[已删除]

http://canecaecia.com/888[已删除]

http://www.castnetnultimedia.com/888[已删除]

http://compUCel.com/888[已删除]

http://continentalcarbonindia.com/888[已删除]

http://ceramax.co.kr/888[已删除]

http://prime.gushi.org/888[已删除]

http://www.chapisteriadaniel.com/888[已删除]

http://charlesspaans.com/888[已删除]

http://chatsk.wz.cz/888[已删除]

http://www.chittychat.com/888[已删除]

http://checkalertusa.com/888[已删除]

http://cibernegocios.com.ar/888[已删除]

http://5050clothing.com/888[已删除]

http://cof666.shockonline.net/888[已删除]

http://comaxtechnologies.net/888[已删除]

http://concellodesandias.com/888[已删除]

http://www.cort.ru/888[已删除]

http://donchef.com/888[已删除]

http://www.crfj.com/888[已删除]

http://kremz.ru/888[已删除]

http://dev.jintek.com/888[已删除]

http://foxvcoin.com/888[已删除]

http://uwua132.org/888[已删除]

http://v-v-kopretiny.ic.cz/888[已删除]

http://erich-kaestner-schule-donaueschingen.de/888[已删除]

http://vanvakfi.com/888[已删除]

http://axelero.hu/888[已删除]

http://kisalfold.com/888[已删除]

http://vega-sps.com/888[已删除]

http://vidus.ru/888[已删除]

http://viralstrategies.com/888[已删除]

http://svatba.viskot.cz/888[已删除]

http://Vivamodelhobby.com/888[已删除]

http://vkinfotech.com/888[已删除]

http://vytukas.com/888[已删除]

http://waisenhaus-kenya.ch/888[已删除]

http://watsrisuphan.org/888[已删除]

http://www.ag.ohio-state.edu/888[已删除]

http://wbecanada.com/888[已删除]

http://calamarco.com/888[已删除]

http://vproinc.com/888[已删除]

http://grupdogus.de/888[已删除]

http://knickimbit.de/888[已删除]

http://dogoodesign.ch/888[已删除]

http://systemforex.de/888[已删除]

http://zebrachina.net/888[已删除]

http://www.walsch.de/888[已删除]

http://hotchillishop.de/888[已删除]

http://innovation.ojom.net/888[已删除]

http://massgroup.de/888[已删除]

http://web-comp.hu/888[已删除]

http://webfull.com/888[已删除]

http://welvo.com/888[已删除]

http://www.ag.ohio-state.edu/888[已删除]

http://poliklinika-vajnorska.sk/888[已删除]

http://wvpilots.org/888[已删除]

http://www.kersten.de/888[已删除]

http://www.kljbwadersloh.de/888[已删除]

http://www.voov.de/888[已删除]

http://www.wchat.cz/888[已删除]

http://www.wg-aufbau-bautzen.de/888[已删除]

http://www.wzhuate.com/888[已删除]

http://zsnabreznaknm.sk/888[已删除]

http://xotravel.ru/888[已删除]

http://ilikesimple.com/888[已删除]

http://yeniguntugla.com/888[已删除]

M 结束以下进程

wuauserv

Aavmker4

ABVPN2K

ADBLOCK.DLL

ADFirewall

AFWMCL

Ahnlab task Scheduler

alerter

AlertManger

AntiVir Service

AntiyFirewall

ARP.DLL

aswMon2

aswRdr

aswTdi

aswUpdSv

Ati HotKey Poller

avast! Antivirus

avast! Mail Scanner

avast! Web Scanner

AVEService

AVExch32Service

AvFlt

Avg7Alrt

Avg7Core

Avg7RsW

Avg7RsXP

Avg7UpdSvc

AvgCore

AvgFsh

AVGFwSrv

AvgFwSvr

AvgServ

AvgTdi

AVIRAMailService

AVIRAService

avpcc

AVUPDService

AVWUpSrv

AvxIni

awhost32

backweb client - 4476822

BackWeb Client - 7681197

backweb client-4476822

Bdfndisf

bdftdif

bdss

BlackICE

BsFileSpy

BsFirewall

BsMailProxy

CAISafe

ccEvtMgr

ccPwdSvc

ccSetMgr

ccSetMgr.exe

CONTENT.DLL

DefWatch

DNSCACHE.DLL

drwebnet

dvpapi

dvpinit

ewido security suite control

ewido security suite driver

ewido security suite guard

F-Prot Antivirus Update Monitor

F-Secure Gatekeeper Handler Starter

firewall

fsbwsys

FSDFWD

FSFW

FSMA

FTPFILT.DLL

FwcAgent

fwdrv

Guard NT

HSnSFW

HSnSPro

HtmlFILT.DLL

HTTPFILT.DLL

IMAPFILT.DLL

InoRPC

InoRT

InoTask

Ip6Fw

Ip6FwHlp

KAVMonitorService

KAVSvc

KLBLMain

KPfwSvc

KWatch3

KWatchSvc

MAILFILT.DLL

McAfee Firewall

McAfeeFramework

McShield

McTaskManager

mcupdmgr.exe

MCVSRte

Microsoft NetWork FireWall Services

MonSvcNT

MpfService

navapsvc

Ndisuio

NDIS_RD

Network Associates Log Service

nipsvc

NISSERV

NISUM

NNTPFILT.DLL

NOD32ControlCenter

NOD32krn

NOD32Service

Norman NJeeves

Norman Type-R

Norman ZANDA

Norton AntiVirus Server

NPDriver

NPFMntor

NProtectService

NSCTOP

nvcoas

NVCScheduler

nwclntc

nwclntd

nwclnte

nwclntf

nwclntg

nwclnth

NWService

OfcPfwSvc

Outbreak Manager

Outpost Firewall

OutpostFirewall

PASSRV

PAVAGENTE

PavAtScheduler

PAVDRV

PAVFIRES

PAVFNSVR

Pavkre

PavProc

PavProt

PavPrSrv

PavReport

PAVSRV

PCCPFW

PCC_PFW

PersFW

Personal Firewall

POP3FILT.DLL

PREVSRV

PROTECT.DLL

PSIMSVC

qhwscsvc

wscsvc

Quick Heal Online Protection

ravmon8

RfwService

SAVFMSE

SAVScan

SBService

schscnt

SECRET.DLL

SharedAccess

SmcService

SNDSrvc

SPBBCSvc

SpiderNT

SweepNet

SWEEPSRV.SYS

Symantec AntiVirus Client

Symantec Core LC

The_Hacker_Antivirus

Tmntsrv

TmPfw

tmproxy

tmtdi

tm_cfw

T_H_S_M

V3MonNT

V3MonSvc

Vba32ECM

Vba32ifs

Vba32Ldr

Vba32PP3

VBCompManService

VexiraAntivirus

VFILT

VisNetic AntiVirus Plug-in

vrfwsvc

vsmon

VSSERV

WinAntivirus

WinRoute

wuauserv

xcomm

N 显示图片如下：

病毒的清除法：

光华反病毒软件用户升级到10月16日的病毒库(免费下载地址为：http://www.viruschina.com/html/update.htm)就可以完全查杀这些病毒。

病毒演示：

病毒FAQ：

Windows下的PE病毒。

发现日期：

2006-10-16