病毒名称(中文):
恶鹰变种K
病毒别名:
贝革热W32.Beagle.K@mm[Symantec]WORM_BAGLE.K[Tre
威胁级别:
★★★☆☆
病毒类型:
蠕虫病毒
病毒长度:
13
影响系统:
Win9xWin2000WinXP
病毒行为:
“恶鹰”系例
编写工具:
汇编,UPX压缩
传染条件:
利用邮件高速传播
发作条件:
系统修改:
A、自我复制到%System%winsys.exe
B、创建以下文件:
%system%winsys.exeopen
该文件是一个加过密的ZIP文件包,密码随机生成,内容是病毒代码;
C、添加以下键值
"ssate.exe"="%System%winsys.exe"
到
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
以便病毒可随机自启动;
D、打开TCP端口2745进行监听。允行攻击者通过一段非凡的信息发送到此端口,可使病毒自动下载新的程序到受感染系统的%Windir%目录中,名字为iuplda.exe,为随机字母。新下载的程序可能为新病毒。
E、发送HTTPGET请求到以下网址,通TCP端口80。
postertog.de
www.gfotxt.net
www.maiklibis.de
病毒通过此操作来获得受感染系统的IP地址和打开的端口号。
F、中止部份反病毒软件的升级程序,来阻止反病毒软件升级:
Atupdater.exe
Aupdate.exe
Autodown.exe
Autotrace.exe
Autoupdate.exe
Avltmain.exe
Avpupd.exe
Avwupd32.exe
Avxquar.exe
Cfiaudit.exe
Drwebupw.exe
Icssuppnt.exe
Icsupp95.exe
Luall.exe
Mcupdate.exe
Nupgrade.exe
Outpost.exe
Update.exe
G、查找后缀名为以下后缀的文件,并从中提取电子邮件地址:
.wab.txt.msg.htm.xml.dbx.mdx.eml.nch.mmf.ods.cfg.asp.php.pl.adb.tbb.sht.uin.cgi
H、释放病毒复本到名字含有字符串"shar"的文件夹中,使病毒具备网络共享传播和通过P2P软件传播的能力,病毒复本的名字为:
ACDSee9.exe
AdobePhotoshop9full.exe
AheadNero7.exe
Matrix3RevolutionEnglishSubtitles.exe
MicrosoftOffice2003Crack,Working!.exe
MicrosoftOfficeXPworkingCrack,Keygen.exe
MicrosoftWindowsXP,WinXPCrack,workingKeygen.exe
Opera8New!.exe
Pornopicsarhive,xxx.exe
PornoScreensaver.scr
Porno,sex,oral,analcool,awesome!!.exe
Serials.txt.exe
WinAmp5ProKeygenCrackUpdate.exe
WinAmp6New!.exe
WindownLonghornBetaLeak.exeWindowsSourcecodeupdate.doc.exe
XXXhardcoreimages.exe
I、病毒使用自己发信引擎发信,其邮件特征为:
发件人:<具有欺骗性的>(可能是以下字符串中的任意):
management@
administration@
staff@
noreply@
support@
主题:(可能是以下字符串中的任意):
E-mailaccountdisablingwarning.
E-mailaccountsecuritywarning.
Emailaccountutilizationwarning.
Importantnotifyaboutyoure-mailaccount.
Notifyaboutusingthee-mailaccount.
Notifyaboutyoure-mailaccountutilization.
Warningaboutyoure-mailaccount.
内容:(可能是以下字符串中的任意组合):
Dearuserof,
Dearuserofgatewaye-mailserver,
Dearuserofe-mailserver"",
Hellouserofe-mailserver,
Dearuserof""mailingsystem,
Dearuser,themanagementofmailingsystemwantstoletyouknowthat,
Youre-mailaccounthasbeentemporarydisabledbecauseofunauthorizedaccess.
Ourmainmailingserverwillbetemporaryunavaiblefornexttwodays,
tocontinuereceivingmailinthesedaysyouhavetoconfigureourfree
auto-forwardingservice.
Youre-mailaccountwillbedisabledbecauseofimproperusinginnext
threedays,ifyouarestillwishingtouseit,please,resignyour
accountinformation.
Wewarnyouaboutsomeattacksonyoure-mailaccount.Yourcomputermay
containviruses,inordertokeepyourcomputerande-mailaccountsafe,
please,followtheinstructions.
Ourantivirussoftwarehasdetectedalargeammountofvirusesoutgoing
fromyouremailaccount,youmayuseourfreeanti-virustooltocleanup
yourcomputersoftware.
Someofourclientscomplainedaboutthespam(negativee-mailcontent)
outgoingfromyoure-mailaccount.Probably,youhavebeeninfectedby
aproxy-relaytrojanserver.Inordertokeepyourcomputersafe,
followtheinstructions.
Formoreinformationseetheattachedfile.
Furtherdetailscanbeobtainedfromattachedfile.
Advanceddetailscanbefoundinattachedfile.
Fordetailsseetheattach.
Fordetailsseetheattachedfile.
Forfurtherdetailsseetheattach.
Please,readtheattachforfurtherdetails.
Payattentiononattachedfile.
Theteamhttp://www.
TheManagement,
Sincerely,
Bestwishes,
Haveagoodday,
Cheers,
Kindregards,
Forsecurityreasonsattachedfileispasswordprotected.Thepasswordis"".
Forsecuritypurposestheattachedfileispasswordprotected.Passwordis"".
Attachedfileprotectedwiththepasswordforsecurityreasons.Passwordis.
Inordertoreadtheattachyouhavetousethefollowingpassword:.
注重:为邮件服务器的域,比如:21cn.com
附件名:<可能是以下字符串中的任意>.zip:
Attach
Information
Readme
Document
Info
TextDocument
TextFile
MoreInfo
Message
Zip文件中是病毒复本,名字由随机字符组。ZIP包可能加密,密码会出现在邮件内容中
病毒会避免发送病毒邮件到含有以下字符串的邮件地址
@hotmail.com
@msn.com
@microsoft
@avp.
noreply
local
root@
postmaster@
发作现象:
病毒使用“写字板”应用程序的图标
非凡说明: