Worm.Beagle.as

病毒名称(中文):

恶鹰变种as

病毒别名:

I-Worm.Bagle.as[AVP],W32/Bagle.az@MM[McAfee],WO

威胁级别:

★★☆☆☆

病毒类型:

蠕虫病毒

病毒长度:

19083

影响系统:

Win9xWinNT

病毒行为:

该病毒为恶鹰家族的新变种。它会把自身复制到用户机器上包含"shar"字符串的文件夹内，文件名跟一些正常文件的文件名非常相似，以此来诱惑用户打开运行病毒程序。该病毒会向外发送大量的带毒邮件，严重的堵塞用户网络。建议用户开启防火墙来防止该病毒的侵入。

1.创建以下几个互斥量来防止NetSky病毒运行：

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D

"D"r"o"p"p"e"d"S"k"y"N"e"t"

_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_

[SkyNet.cz]SystemsMutex

AdmSkynetJklS003

____--->>>>U<<<<--____

_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

2.在被感染的机器上创建以下文件：

%System%\bawindo.exe.

%System%\bawindo.exeopen

%System%\bawindo.exeopenopen

%System%\re_file.exe

3.在注册表HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run中

增加"bawindo"="%System%\bawindo.exe"来确保自身能随计算机启动

4.从HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

删除包含以下字符串的键值：

MyAV

ZoneLabsClientEx

9XHtProtect

Antivirus

SpecialFirewallService

service

TinyAV

ICQNet

HtProtect

NetDy

Jammer2nd

FirewallSvr

MsInfo

SysMonXP

EasyAV

PandaAVEngine

NortonAntivirusAV

KasperskyAVEng

SkynetsRevenge

ICQNet

5.在包含"shar"字符串的目录下创建文件，文件名可能为下列字符：

MicrosoftOffice2003Crack,Working!.exe

MicrosoftWindowsXP,WinXPCrack,workingKeygen.exe

MicrosoftOfficeXPworkingCrack,Keygen.exe

Porno,sex,oral,analcool,awesome!!.exe

PornoScreensaver.scr

Serials.txt.exe

KAV5.0

KasperskyAntivirus5.0

Pornopicsarhive,xxx.exe

WindowsSourcecodeupdate.doc.exe

AheadNero7.exe

WindownLonghornBetaLeak.exe

Opera8New!.exe

XXXhardcoreimages.exe

WinAmp6New!.exe

WinAmp5ProKeygenCrackUpdate.exe

AdobePhotoshop9full.exe

Matrix3RevolutionEnglishSubtitles.exe

ACDSee9.exe

6.搜索以下列字符串为扩展名的文件来获得Email地址，并用自带的SMTP引擎发送带毒邮件

adb

.asp

.cfg

.cgi

.dbx

.dhtm

.eml

.htm

.jsp

.mbx

.mdx

.mht

.mmf

.msg

.nch

.ods

.oft

.php

.pl

.sht

.shtm

.stm

.tbb

.txt

.uin

.wab

.wsh

.xls

.xml

7.病毒发送的带毒邮件具有如下特征：

发件人：伪造的

主题：

Re:

Re:Hello

Re:Thankyou!

Re:Thanks:)

Re:Hi

正文：

:)

:))

附件：

文件名可能为：

Price

price

Joke

扩展名可能为：

.com/.scr/.cpl

8.该病毒不会向包含以下字符串的邮件地址发送邮件

@avp.

@foo

@hotmail

@iana

@messagelab

@microsoft

@msn

abuse

admin

anyone@

bsd

bugs@

cafee

certific

contract@

f-secur

feste

free-av

gold-certs@

google

help@

icrosoft

info@

kasp

linux

listserv

local

news

nobody@

noone@

noreply

ntivi

panda

pgp

postmaster@

rating@

root@

samples

sopho

spam

support

unix

update

winrar

winzip

9.打开被病毒感染的主机的Tcp81和Udp81端口用来转发邮件

10.尝试从下列网站下载文件

www.24-7-transportation.com

www.DarrkSydebaby.com

www.FritoPie.NET

www.adhdtests.com

www.aegee.org

www.aimcenter.net

www.alupass.lu

www.amanit.ru

www.andara.com

www.angelartsanctuary.com

www.anthonyflanagan.com

www.approved1stmortgage.com

www.argontech.net

www.asianfestival.nl

www.atlantisteste.hpg.com.br

www.aviation-center.de

www.bbsh.org

www.bga-gsm.ru

www.boneheadmusic.com

www.bottombouncer.com

www.bradster.com

www.buddyboymusic.com

www.bueroservice-it.de

www.calderwoodinn.com

www.capri-frames.de

www.celula.com.mx

www.ceskyhosting.cz

www.chinasenfa.com

www.cntv.info

www.compsolutionstore.com

www.coolfreepages.com

www.corpsite.com

www.couponcapital.net

www.cpc.adv.br

www.crystalrose.ca

www.crystalrose.ca

www.cscliberec.cz

www.curtmarsh.com

www.customloyal.com

www.deadrobot.com

www.dontbeaweekendparent.com

www.dragcar.com

www.ecofotos.com.br

www.elenalazar.com

www.ellarouge.com.au

www.esperanzaparalafamilia.com

www.eurostavba.sk

www.everett.wednet.edu

www.fcpages.com

www.featech.com

www.fepese.ufsc.br

www.firstnightoceancounty.org

www.flashcorp.com

www.fleigutaetscher.ch

www.fludir.is

www.freeservers.com

www.gamp.pl

www.gci-bln.de

www.gcnet.ru

www.generationnow.net

www.gfn.org

www.giantrevenue.com

www.glass.la

www.handsforhealth.com

www.hartacorporation.com

www.himpsi.org

www.idb-group.net

www.immonaut.sk

www.ims-i.com

www.innnewport.com

www.irakli.org

www.irinaswelt.de

www.jansenboiler.com

www.jasnet.pl

www.jhaforpresident.7p.com

www.jimvann.com

www.jldr.ca

www.justrepublicans.com

www.kencorbett.com

www.knicks.nl

www.kps4parents.com

www.kradtraining.de

www.kranenberg.de

www.lasermach.com

www.leonhendrix.com

www.magicbottle.com.tw

www.mass-i.kiev.ua

www.mepbisu.de

www.mepmh.de

www.metal.pl

www.mexis.com

www.mongolische-renner.de

www.mtfdesign.com

www.oboe-online.com

www.ohiolimo.com

www.onepositiveplace.org

www.oohlala-kirkland.com

www.orari.net

www.pankration.com

www.pe-sh.com

www.pfadfinder-leobersdorf.com

www.pipni.cz

www.polizeimotorrad.de

www.programmierung2000.de

www.pyrlandia-boogie.pl

www.raecoinc.com

www.realgps.com

www.redlightpictures.com

www.reliance-yachts.com

www.relocationflorida.com

www.rentalstation.com

www.rieraquadros.com.br

www.scanex-medical.fi

www.sea.bz.it

www.selu.edu

www.sigi.lu

www.sljinc.com

www.smacgreetings.com

www.soloconsulting.com

www.spadochron.pl

www.srg-neuburg.de

www.ssmifc.ca

www.sugardas.lt

www.sunassetholdings.com

www.szantomierz.art.pl

www.the-fabulous-lions.de

www.tivogoddess.com

www.tkd2xcell.com

www.topko.sk

www.transportation.gov.bh

www.travelchronic.de

www.traverse.com

www.uhcc.com

www.ulpiano.org

www.uslungiarue.it

www.vandermost.de

www.vbw.info

www.velezcourtesymanagement.com

www.velocityprint.com

www.vikingpc.pl

www.vinirforge.com

www.wecompete.com

www.worest.com.ar

www.woundedshepherds.com

www.wwwebad.com

www.wwwebmaster.com

• ·Win32.Troj.Axela.w
• ·Win32.Troj.Delf.ec
• ·Win32.Troj.Pasorot.k
• ·Win32.Troj.Wollf
• ·Win32.Hack.Coldfuson10
• ·Win32.Hack.Surila.k
• ·VBS.Alcaul
• ·JS.IceFox.a
• ·VBS.Copybat.m
• ·VBS.Mill.e