Worm.Beagle.M

病毒名称(中文):

“恶鹰”变种M

病毒别名:

Worm.BBeagle.N[瑞星]PE_BAGLE.N[Trend]W32/Bagle.n

威胁级别:

★★★☆☆

病毒类型:

蠕虫病毒

病毒长度:

影响系统:

Win9xWinNTWin2000WinXPWin2003

病毒行为:

恶鹰

编写工具:

传染条件:

发作条件:

系统修改:

A、将病毒自身拷贝到

%System%winupd.exe:该蠕虫的拷贝.

%System%winupd.exeopen:该蠕虫的拷贝

%System%winupd.exeopenopen:也是该蠕虫的一个拷贝，也有可能是包含该蠕虫的加密.zip或.rar文件

%System%winupd.exeopenopenopen:一个.bmp文件，包含上面.zip或.rar文件的解密密码，只有当winupd.exeopenopen为一个密码保护.zip或.rar文件时才会创建。

B、在注册表的主键:

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun

中添加如下键值:

"winupd.exe"="%System%winupd.exe"

以便该病毒在每次重启Windows时运行。

在注册表主键：

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

中删除如下键值:

9XHtProtect

Antivirus

HtProtect

ICQNet

ICQNet

MyAV

SpecialFirewallService

TinyAV

ZoneLabsClientEx

service

C、在TCP端口2556开一个后门。

D、该病毒为变形病毒，并且会感染系统中的.exe文件

发作现象:

A、尝试关闭以下程序进程：

AGENTSVR.EXE

ANTI-TROJAN.EXE

ANTIVIRUS.EXE

ANTS.EXE

APIMONITOR.EXE

APLICA32.EXE

APVXDWIN.EXE

ATCON.EXE

ATGUARD.EXE

ATRO55EN.EXE

ATUPDATER.EXE

ATWATCH.EXE

AUPDATE.EXE

AUTODOWN.EXE

AUTOTRACE.EXE

AUTOUPDATE.EXE

AVCONSOL.EXE

AVGSERV9.EXE

AVLTMAIN.EXE

AVPUPD.EXE

AVSYNMGR.EXE

AVWUPD32.EXE

AVXQUAR.EXE

AVprotect9x.exe

Au.exe

BD_PROFESSIONAL.EXE

BIDEF.EXE

BIDSERVER.EXE

BIPCP.EXE

BIPCPEVALSETUP.EXE

BISP.EXE

BLACKD.EXE

BLACKICE.EXE

BOOTWARN.EXE

BORG2.EXE

BS120.EXE

CDP.EXE

CFGWIZ.EXE

CFIADMIN.EXE

CFIAUDIT.EXE

CFINET.EXE

CFINET32.EXE

CLEAN.EXE

CLEANER.EXE

CLEANER3.EXE

CLEANPC.EXE

CMGRDIAN.EXE

CMON0EXE

CPD.EXE

CPF9X206.EXE

CPFNT206.EXE

CV.EXE

CWNB181.EXE

CWNTDWMO.EXE

D3dupdate.exe

DEFWATCH.EXE

DEPUTY.EXE

DPF.EXE

DPFSETUP.EXE

DRWATSON.EXE

DRWEBUPW.EXE

ENT.EXE

ESCANH95.EXE

ESCANHNT.EXE

ESCANV95.EXE

EXANTIVIRUS-CNET.EXE

FAST.EXE

FIREWALL.EXE

FLOWPROTECTOR.EXE

FP-WIN_TRIAL.EXE

FRW.EXE

FSAV.EXE

FSAV530STBYB.EXE

FSAV530WTBYB.EXE

FSAV95.EXE

GBMENU.EXE

GBPOLL.EXE

GUARD.EXE

HACKTRACERSETUP.EXE

HTLOG.EXE

HWPE.EXE

IAMAPP.EXE

IAMSERV.EXE

ICLOAD95.EXE

ICLOADNT.EXE

ICMON.EXE

ICSSUPPNT.EXE

ICSUPP95.EXE

ICSUPPNT.EXE

IFW2000.EXE

IPARMOR.EXE

IRIS.EXE

JAMMER.EXE

KAVLITE40ENG.EXE

KAVPERS40ENG.EXE

KERIO-PF-213-EN-WIN.EXE

KERIO-WRL-421-EN-WIN.EXE

KERIO-WRP-421-EN-WIN.EXE

KILLPROCESSSETUP161.EXE

LDPRO.EXE

LOCALNET.EXE

LOCKDOWN.EXE

LOCKDOWN2000.EXE

LSETUP.EXE

LUALL.EXE

LUCOMSERVER.EXE

LUINIT.EXE

MCAGENT.EXE

MCUPDATE.EXE

MFW2EN.EXE

MFWENG3.02D30.EXE

MGUI.EXE

MINILOG.EXE

MOOLIVE.EXE

MRFLUX.EXE

MSCONFIG.EXE

MSINFO32.EXE

MSSMMC32.EXE

MU0311AD.EXE

NAV80TRY.EXE

NAVAPW32.EXE

NAVDX.EXE

NAVSTUB.EXE

NAVW32.EXE

NC2000.EXE

NCINST4.EXE

NDD32.EXE

NEOMONITOR.EXE

NETARMOR.EXE

NETINFO.EXE

NETMON.EXE

NETSCANPRO.EXE

NETSPYHUNTER-1.2.EXE

NETSTAT.EXE

NISSERV.EXE

NISUM.EXE

NMAIN.EXE

NORTON_INTERNET_SECU_3.0_407.EXE

NPF40_TW_98_NT_ME_2K.EXE

NPFMESSENGER.EXE

NPROTECT.EXE

NSCHED32.EXE

NTVDM.EXE

NUPGRADE.EXE

NVARCHEXE

NWINST4.EXE

NWTOOLEXE

OSTRONET.EXE

OUTPOST.EXE

OUTPOSTINSTALL.EXE

OUTPOSTPROINSTALL.EXE

PADMIN.EXE

PANIXK.EXE

PAVPROXY.EXE

PCC2002S902.EXE

PCC2K_76_1436.EXE

PCCIOMON.EXE

PCDSETUP.EXE

PCFWALLICON.EXE

PCIP10117_0.EXE

PDSETUP.EXE

PERISCOPE.EXE

PERSFW.EXE

PF2.EXE

PFWADMIN.EXE

PINGSCAN.EXE

PLATIN.EXE

POPROXY.EXE

POPSCAN.EXE

PORTDETECTIVE.EXE

PPINUPDT.EXE

PPTBC.EXE

PPVSTOP.EXE

PROCEXPLORERV1.0.EXE

PROPORT.EXE

PROTECTX.EXE

PSPF.EXE

PURGE.EXE

PVIEW95.EXE

QCONSOLE.EXE

QSERVER.EXE

RAV8WIN32ENG.EXE

REGEDIT.EXE

REGEDT32.EXE

RESCUE.EXE

RESCUE32.EXE

RRGUARD.EXE

RSHELL.EXE

RTVSCN95.EXE

RULAUNCH.EXE

SAFEWEB.EXE

SBSERV.EXE

SD.EXE

SETUPVAMEEVAL.EXE

SETUP_FLOWPROTECTOR_US.EXE

SFC.EXE

SGSSFW32.EXE

SH.EXE

SHELLSPYINSTALL.EXE

SHN.EXE

SMC.EXE

SOFI.EXE

SPF.EXE

SPHINX.EXE

SPYXX.EXE

SS3EDIT.EXE

ST2.EXE

SUPFTRL.EXE

SUPPORTER5.EXE

SYMPROXYSVC.EXE

SYSEDIT.EXE

TASKMON.EXE

TAUMON.EXE

TAUSCAN.EXE

TC.EXE

TCA.EXE

TCM.EXE

TDS-3.EXE

TDS2-98.EXE

TDS2-NT.EXE

TFAK5.EXE

TGBOB.EXE

TITANIN.EXE

TITANINXP.EXE

TRACERT.EXE

TRJSCAN.EXE

TRJSETUP.EXE

TROJANTRAP3.EXE

UNDOBOOT.EXE

UPDATE.EXE

VBCMSERV.EXE

VBCONS.EXE

VBUST.EXE

VBWIN9X.EXE

VBWINNTW.EXE

VCSETUP.EXE

VFSETUP.EXE

VIRUSMDPERSONALFIREWALL.EXE

VNLAN300.EXE

VNPC3000.EXE

VPC42.EXE

VPFW30S.EXE

VPTRAY.EXE

VSCENU6.02D30.EXE

VSECOMR.EXE

VSHWIN32.EXE

VSISETUP.EXE

VSMAIN.EXE

VSMON.EXE

VSSTAT.EXE

VSWIN9XE.EXE

VSWINNTSE.EXE

VSWINPERSE.EXE

W32DSM89.EXE

W9X.EXE

WATCHDOG.EXE

WEBSCANX.EXE

WGFE95.EXE

WHOSWATCHINGME.EXE

WINRECON.EXE

WNT.EXE

WRADMIN.EXE

WRCTRL.EXE

WSBGATE.EXE

WYVERNWORKSFIREWALL.EXE

XPF202EN.EXE

ZAPRO.EXE

ZAPSETUP3001.EXE

ZATUTOR.EXE

ZAUINST.EXE

ZONALM2601.EXE

ZONEALARM.EXE

B、在本地磁盘扫描具有以下扩展名的文件，以收集邮件地址。

adb

asp

cfg

cgi

dbx

dhtm

eml

htm

jsp

mbx

mdx

mht

mmf

msg

nch

ods

oft

php

pl

sht

shtm

stm

tbb

txt

uin

wab

wsh

xls

xml

C、用自带的smtp引擎发送邮件。

发件人从以下字符串中选择一个：

management@<接收者的Email地址的域>

administration@<接收者的Email地址的域>

staff@<接收者的Email地址的域>

antivirus@<接收者的Email地址的域>

antispam@<接收者的Email地址的域>

noreply@<接收者的Email地址的域>

support@<接收者的Email地址的域>

邮件主题从以下段落中选择一个：

Accountnotify

E-mailaccountdisablingwarning.

E-mailaccountsecuritywarning.

E-mailtechnicalsupportmessage.

E-mailtechnicalsupportwarning.

E-mailwarning

Emailaccountutilizationwarning.

Emailreport

Encrypteddocument

FaxMessageReceived

Forumnotify

Hiddenmessage

Importantnotify

Importantnotifyaboutyoure-mailaccount.

Incomingmessage

Notifyaboutusingthee-mailaccount.

Notifyaboutyoure-mailaccountutilization.

Notifyfrome-mailtechnicalsupport.

Protectedmessage

RE:Protectedmessage

RE:Textmessage

Re:Document

Re:Hello

Re:Hi

Re:IncomingFax

Re:IncomingMessage

Re:Msgreply

Re:Thankyou!

Re:Thanks:)

Re:Yahoo!

Requestresponse

Sitechanges

邮件内容从以下段落中选择一个：

Dearuserof,

Dearuserof""mailingserver,

Dearuserof""mailingdomain,

Dearuserofgatewaye-mailservergateway,

Dearuserofe-mailserver"",

Hellouserofe-mailserver,

Dearuserof""mailingsystem,

Dearuser,themanagementofmailingsystemwantstoletyouknowthat,

下文为以下段落中选择一个：

Youre-mailaccounthasbeentemporarydisabledbecauseofunauthorizedaccess.

Ourmainmailingserverwillbetemporaryunavaiblefornexttwodays,

tocontinuereceivingmailinthesedaysyouhavetoconfigureourfree

auto-forwardingservice.

Youre-mailaccountwillbedisabledbecauseofimproperusinginnext

threedays,ifyouarestillwishingtouseit,please,resignyour

accountinformation.

Wewarnyouaboutsomeattacksonyoure-mailaccount.Yourcomputermay

containviruses,inordertokeepyourcomputerande-mailaccountsafe,

please,followtheinstructions.

Ourantivirussoftwarehasdetectedalargeammountofvirusesoutgoing

fromyouremailaccount,youmayuseourfreeanti-virustooltocleanup

yourcomputersoftware.

Someofourclientscomplainedaboutthespam(negativee-mailcontent)

outgoingfromyoure-mailaccount.Probably,youhavebeeninfectedby

aproxy-relaytrojanserver.Inordertokeepyourcomputersafe,

followtheinstructions.

下文为以下段落中选择一个：

Formoreinformationseetheattachedfile.

Furtherdetailscanbeobtainedfromattachedfile.

Advanceddetailscanbefoundinattachedfile.

Fordetailsseetheattach.

Fordetailsseetheattachedfile.

Forfurtherdetailsseetheattach.

Please,readtheattachforfurtherdetails.

Payattentiononattachedfile.Readtheattach.

Yourfileisattached.

Moreinfoinattach

Seeattach.

Followthewabbit.

Findthewhiterabbit.

Please,havealookattheattachedfile.

Seetheattachedfilefordetails.

Messageisinattach

Hereisthefile.

下文为：

Theteam

http://www.

下文为以下字符串中的一个：

TheManagement,

Sincerely,

Bestwishes,

Haveagoodday,

Cheers,

Kindregards,

邮件附件名从以下字符串中选择一个:

Attach

Details

Document

Encrypted

Gift

Info

Information

Message

MoreInfo

Readme

Text

TextDocument

details

first_part

pub_document

text_document

假如附件为.zip或.rar文件，则还将从以下字符串中选择一个填入下文：

Forsecurityreasonsattachedfileispasswordprotected.Thepasswordis<含有密码的图片>

Forsecuritypurposestheattachedfileispasswordprotected.Password--<含有密码的图片>

Note:Usepassword<含有密码的图片>toopenarchive.

Attachedfileisprotectedwiththepasswordforsecurityreasons.Passwordis<含有密码的图片>

Inordertoreadtheattachyouhavetousethefollowingpassword:<含有密码的图片>

Archivepassword:<含有密码的图片>

Password-<含有密码的图片>

Password:<含有密码的图片>

D、该蠕虫将不会往含以下字段的邮件地址发送邮件：

@avp.

@foo

@hotmail.com

@iana

@messagelab

@microsoft

@msn

abuse

admin

anyone@

bsd

bugs@

cafee

certific

contract@

f-secur

feste

free-av

gold-certs@

google

help@

icrosoft

info@

kasp

linux

listserv

local

nobody@

noone@

noreply

ntivi

panda

pgp

postmaster@

rating@

root@

samples

sopho

spam

support

unix

winrar

winzip

E、该病毒将使用以下图标:(图beagle.m.bmp)

以迷惑用户将他误认为文件夹而点击感染.

F、该病毒为了可以在文件共享网络传播，如：KaZaA和iMesh,它查找含有字符串"shar"的共享文件夹将其自己拷贝进去，文件名在以下字符串中选择一个：

ACDSee9.exe

AdobePhotoshop9full.exe

AheadNero7.exe

Matrix3RevolutionEnglishSubtitles.exe

MicrosoftOffice2003Crack,Working!.exe

MicrosoftOfficeXPworkingCrack,Keygen.exe

MicrosoftWindowsXP,WinXPCrack,workingKeygen.exe

Opera8New!.exe

PornoScreensaver.scr

Pornopicsarhive,xxx.exe

Porno,sex,oral,analcool,awesome!!.exe

Serials.txt.exe

WinAmp5ProKeygenCrackUpdate.exe

WinAmp6New!.exe

WindownLonghornBetaLeak.exe

WindowsSourcecodeupdate.doc.exe

XXXhardcoreimages.exe

非凡说明:

• ·Win32.Troj.Vanquish
• ·Win32.Troj.PSW_QiJi.40
• ·Worm.Beagle.c
• ·Worm.Beagle.d
• ·Worm.Beagle.e
• ·Worm.Beagle.N
• ·Worm.Beagle.i
• ·Worm.Beagle.K
• ·Win32.Troj.WinShow.g
• ·Worm.Silly.a