病毒名称(中文):
恶鹰变种as
病毒别名:
I-Worm.Bagle.as[AVP],W32/Bagle.az@MM[McAfee],WO
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
19083
影响系统:
Win9xWinNT
病毒行为:
该病毒为恶鹰家族的新变种。它会把自身复制到用户机器上包含"shar"字符串的文件夹内,文件名跟一些正常文件的文件名非常相似,以此来诱惑用户打开运行病毒程序。该病毒会向外发送大量的带毒邮件,严重的堵塞用户网络。建议用户开启防火墙来防止该病毒的侵入。
1.创建以下几个互斥量来防止NetSky病毒运行:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
"D"r"o"p"p"e"d"S"k"y"N"e"t"
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
2.在被感染的机器上创建以下文件:
%System%\bawindo.exe.
%System%\bawindo.exeopen
%System%\bawindo.exeopenopen
%System%\re_file.exe
3.在注册表HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run中
增加"bawindo"="%System%\bawindo.exe"来确保自身能随计算机启动
4.从HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
删除包含以下字符串的键值:
MyAV
ZoneLabsClientEx
9XHtProtect
Antivirus
SpecialFirewallService
service
TinyAV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
NortonAntivirusAV
KasperskyAVEng
SkynetsRevenge
ICQNet
5.在包含"shar"字符串的目录下创建文件,文件名可能为下列字符:
MicrosoftOffice2003Crack,Working!.exe
MicrosoftWindowsXP,WinXPCrack,workingKeygen.exe
MicrosoftOfficeXPworkingCrack,Keygen.exe
Porno,sex,oral,analcool,awesome!!.exe
PornoScreensaver.scr
Serials.txt.exe
KAV5.0
KasperskyAntivirus5.0
Pornopicsarhive,xxx.exe
WindowsSourcecodeupdate.doc.exe
AheadNero7.exe
WindownLonghornBetaLeak.exe
Opera8New!.exe
XXXhardcoreimages.exe
WinAmp6New!.exe
WinAmp5ProKeygenCrackUpdate.exe
AdobePhotoshop9full.exe
Matrix3RevolutionEnglishSubtitles.exe
ACDSee9.exe
6.搜索以下列字符串为扩展名的文件来获得Email地址,并用自带的SMTP引擎发送带毒邮件
adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml
7.病毒发送的带毒邮件具有如下特征:
发件人:伪造的
主题:
Re:
Re:Hello
Re:Thankyou!
Re:Thanks:)
Re:Hi
正文:
:)
:))
附件:
文件名可能为:
Price
price
Joke
扩展名可能为:
.com/.scr/.cpl
8.该病毒不会向包含以下字符串的邮件地址发送邮件
@avp.
@foo
@hotmail
@iana
@messagelab
@microsoft
@msn
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip
9.打开被病毒感染的主机的Tcp81和Udp81端口用来转发邮件
10.尝试从下列网站下载文件
www.24-7-transportation.com
www.DarrkSydebaby.com
www.FritoPie.NET
www.adhdtests.com
www.aegee.org
www.aimcenter.net
www.alupass.lu
www.amanit.ru
www.andara.com
www.angelartsanctuary.com
www.anthonyflanagan.com
www.approved1stmortgage.com
www.argontech.net
www.asianfestival.nl
www.atlantisteste.hpg.com.br
www.aviation-center.de
www.bbsh.org
www.bga-gsm.ru
www.boneheadmusic.com
www.bottombouncer.com
www.bradster.com
www.buddyboymusic.com
www.bueroservice-it.de
www.calderwoodinn.com
www.capri-frames.de
www.celula.com.mx
www.ceskyhosting.cz
www.chinasenfa.com
www.cntv.info
www.compsolutionstore.com
www.coolfreepages.com
www.corpsite.com
www.couponcapital.net
www.cpc.adv.br
www.crystalrose.ca
www.crystalrose.ca
www.cscliberec.cz
www.curtmarsh.com
www.customloyal.com
www.deadrobot.com
www.dontbeaweekendparent.com
www.dragcar.com
www.ecofotos.com.br
www.elenalazar.com
www.ellarouge.com.au
www.esperanzaparalafamilia.com
www.eurostavba.sk
www.everett.wednet.edu
www.fcpages.com
www.featech.com
www.fepese.ufsc.br
www.firstnightoceancounty.org
www.flashcorp.com
www.fleigutaetscher.ch
www.fludir.is
www.freeservers.com
www.gamp.pl
www.gci-bln.de
www.gcnet.ru
www.generationnow.net
www.gfn.org
www.giantrevenue.com
www.glass.la
www.handsforhealth.com
www.hartacorporation.com
www.himpsi.org
www.idb-group.net
www.immonaut.sk
www.ims-i.com
www.innnewport.com
www.irakli.org
www.irinaswelt.de
www.jansenboiler.com
www.jasnet.pl
www.jhaforpresident.7p.com
www.jimvann.com
www.jldr.ca
www.justrepublicans.com
www.kencorbett.com
www.knicks.nl
www.kps4parents.com
www.kradtraining.de
www.kranenberg.de
www.lasermach.com
www.leonhendrix.com
www.magicbottle.com.tw
www.mass-i.kiev.ua
www.mepbisu.de
www.mepmh.de
www.metal.pl
www.mexis.com
www.mongolische-renner.de
www.mtfdesign.com
www.oboe-online.com
www.ohiolimo.com
www.onepositiveplace.org
www.oohlala-kirkland.com
www.orari.net
www.pankration.com
www.pe-sh.com
www.pfadfinder-leobersdorf.com
www.pipni.cz
www.polizeimotorrad.de
www.programmierung2000.de
www.pyrlandia-boogie.pl
www.raecoinc.com
www.realgps.com
www.redlightpictures.com
www.reliance-yachts.com
www.relocationflorida.com
www.rentalstation.com
www.rieraquadros.com.br
www.scanex-medical.fi
www.sea.bz.it
www.selu.edu
www.sigi.lu
www.sljinc.com
www.smacgreetings.com
www.soloconsulting.com
www.spadochron.pl
www.srg-neuburg.de
www.ssmifc.ca
www.sugardas.lt
www.sunassetholdings.com
www.szantomierz.art.pl
www.the-fabulous-lions.de
www.tivogoddess.com
www.tkd2xcell.com
www.topko.sk
www.transportation.gov.bh
www.travelchronic.de
www.traverse.com
www.uhcc.com
www.ulpiano.org
www.uslungiarue.it
www.vandermost.de
www.vbw.info
www.velezcourtesymanagement.com
www.velocityprint.com
www.vikingpc.pl
www.vinirforge.com
www.wecompete.com
www.worest.com.ar
www.woundedshepherds.com
www.wwwebad.com
www.wwwebmaster.com