Worm.Beagle.i

王朝other·作者佚名  2008-08-14
窄屏简体版  字體: |||超大  

病毒名称(中文):

恶鹰变种I

病毒别名:

贝革热W32.Beagle.J@mm[Symantec]WORM_BAGLE.J[Tre

威胁级别:

★★★☆☆

病毒类型:

蠕虫病毒

病毒长度:

12

影响系统:

Win9xWin2000WinXP

病毒行为:

“恶鹰”系例

编写工具:

汇编,UPX压缩

传染条件:

利用邮件高速传播

发作条件:

系统修改:

A、自我复制到%System%irun4.exe;

B、创建以下文件:

%system%irun4.exeopen

该文件是一个加过密的ZIP文件包,密码随机生成,内容是病毒代码;

C、添加以下键值

"ssate.exe"="%System%irun4.exe"

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun

以便病毒可随机自启动;

D、打开TCP端口2745进行监听。允行攻击者通过一段非凡的信息发送到此端口,可使病毒自动下载新的程序到受感染系统的%Windir%目录中,名字为iuplda.exe,为随机字母。新下载的程序可能为新病毒。

E、发送HTTPGET请求到以下网址,通TCP端口80。

postertog.de

www.gfotxt.net

www.maiklibis.de

病毒通过此操作来获得受感染系统的IP地址和打开的端口号。

F、中止部份反病毒软件的升级程序,来阻止反病毒软件升级:

Atupdater.exe

Aupdate.exe

Autodown.exe

Autotrace.exe

Autoupdate.exe

Avltmain.exe

Avpupd.exe

Avwupd32.exe

Avxquar.exe

Cfiaudit.exe

Drwebupw.exe

Icssuppnt.exe

Icsupp95.exe

Luall.exe

Mcupdate.exe

Nupgrade.exe

Outpost.exe

Update.exe

G、查找后缀名为以下后缀的文件,并从中提取电子邮件地址:

.wab.txt.msg.htm.xml.dbx.mdx.eml.nch.mmf.ods.cfg.asp.php.pl.adb.tbb.sht.uin.cgi

H、释放病毒复本到名字含有字符串"shar"的文件夹中,使病毒具备网络共享传播和通过P2P软件传播的能力,病毒复本的名字为:

ACDSee9.exe

AdobePhotoshop9full.exe

AheadNero7.exe

Matrix3RevolutionEnglishSubtitles.exe

MicrosoftOffice2003Crack,Working!.exe

MicrosoftOfficeXPworkingCrack,Keygen.exe

MicrosoftWindowsXP,WinXPCrack,workingKeygen.exe

Opera8New!.exe

Pornopicsarhive,xxx.exe

PornoScreensaver.scr

Porno,sex,oral,analcool,awesome!!.exe

Serials.txt.exe

WinAmp5ProKeygenCrackUpdate.exe

WinAmp6New!.exe

WindownLonghornBetaLeak.exeWindowsSourcecodeupdate.doc.exe

XXXhardcoreimages.exe

I、病毒使用自己发信引擎发信,其邮件特征为:

发件人:<具有欺骗性的>(可能是以下字符串中的任意):

management@

administration@

staff@

noreply@

support@

主题:(可能是以下字符串中的任意):

E-mailaccountdisablingwarning.

E-mailaccountsecuritywarning.

Emailaccountutilizationwarning.

Importantnotifyaboutyoure-mailaccount.

Notifyaboutusingthee-mailaccount.

Notifyaboutyoure-mailaccountutilization.

Warningaboutyoure-mailaccount.

内容:(可能是以下字符串中的任意组合):

Dearuserof,

Dearuserofgatewaye-mailserver,

Dearuserofe-mailserver"",

Hellouserofe-mailserver,

Dearuserof""mailingsystem,

Dearuser,themanagementofmailingsystemwantstoletyouknowthat,

Youre-mailaccounthasbeentemporarydisabledbecauseofunauthorizedaccess.

Ourmainmailingserverwillbetemporaryunavaiblefornexttwodays,

tocontinuereceivingmailinthesedaysyouhavetoconfigureourfree

auto-forwardingservice.

Youre-mailaccountwillbedisabledbecauseofimproperusinginnext

threedays,ifyouarestillwishingtouseit,please,resignyour

accountinformation.

Wewarnyouaboutsomeattacksonyoure-mailaccount.Yourcomputermay

containviruses,inordertokeepyourcomputerande-mailaccountsafe,

please,followtheinstructions.

Ourantivirussoftwarehasdetectedalargeammountofvirusesoutgoing

fromyouremailaccount,youmayuseourfreeanti-virustooltocleanup

yourcomputersoftware.

Someofourclientscomplainedaboutthespam(negativee-mailcontent)

outgoingfromyoure-mailaccount.Probably,youhavebeeninfectedby

aproxy-relaytrojanserver.Inordertokeepyourcomputersafe,

followtheinstructions.

Formoreinformationseetheattachedfile.

Furtherdetailscanbeobtainedfromattachedfile.

Advanceddetailscanbefoundinattachedfile.

Fordetailsseetheattach.

Fordetailsseetheattachedfile.

Forfurtherdetailsseetheattach.

Please,readtheattachforfurtherdetails.

Payattentiononattachedfile.

Theteamhttp://www.

TheManagement,

Sincerely,

Bestwishes,

Haveagoodday,

Cheers,

Kindregards,

Forsecurityreasonsattachedfileispasswordprotected.Thepasswordis"".

Forsecuritypurposestheattachedfileispasswordprotected.Passwordis"".

Attachedfileprotectedwiththepasswordforsecurityreasons.Passwordis.

Inordertoreadtheattachyouhavetousethefollowingpassword:.

注重:为邮件服务器的域,比如:21cn.com

附件名:<可能是以下字符串中的任意>.zip:

Attach

Information

Readme

Document

Info

TextDocument

TextFile

MoreInfo

Message

Zip文件中是病毒复本,名字由随机字符组。ZIP包可能加密,密码会出现在邮件内容中

病毒会避免发送病毒邮件到含有以下字符串的邮件地址

@hotmail.com

@msn.com

@microsoft

@avp.

noreply

local

root@

postmaster@

发作现象:

病毒使用“写字板”应用程序的图标,如图:

(20040303_Worm.Beagle.i.gif)

非凡说明:

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
© 2005- 王朝網路 版權所有 導航