Worm.Bagz.d

病毒名称(中文):

袋子

病毒别名:

威胁级别:

★★☆☆☆

病毒类型:

蠕虫病毒

病毒长度:

155154

影响系统:

Win9xWinNT

病毒行为:

该病毒通过邮件传播，它通过自身的发信模块发送信件，信件的标题、内容和附件名都是可变的，附件是一个扩展名为exe或zip的文件。

该病毒还会修改本地hosts文件，使用户访问不了包括各大杀毒软件厂商网站在内的站点及微软公司的技术支持站点，无法更新安全程序。

a.病毒启动后会创建如下文件：

%system%\rpc32.exe

%system%\run32.exe

%system%\sysboot.doc.exe

b.向系统中添加一个服务：

服务名称：RPC32

显示名称：NetworkExplorer

描述：Startsandconfiguresaccessibilitytoolsfromonewindow

可执行文件路径：%system%\rpc32.exe

c.向用户的hosts文件中添加如下项目，导致用户无法访问一些安全站点，并阻止一些安全软件的更新

127.0.0.1ad.doubleclick.net

127.0.0.1ad.fastclick.net

127.0.0.1ads.fastclick.net

127.0.0.1ar.atwola.com

127.0.0.1atdmt.com

127.0.0.1avp.ch

127.0.0.1avp.com

127.0.0.1avp.ru

127.0.0.1awaps.net

127.0.0.1banner.fastclick.net

127.0.0.1banners.fastclick.net

127.0.0.1ca.com

127.0.0.1click.atdmt.com

127.0.0.1clicks.atdmt.com

127.0.0.1dispatch.mcafee.com

127.0.0.1download.mcafee.com

127.0.0.1download.microsoft.com

127.0.0.1downloads.microsoft.com

127.0.0.1engine.awaps.net

127.0.0.1fastclick.net

127.0.0.1f-secure.com

127.0.0.1ftp.f-secure.com

127.0.0.1ftp.sophos.com

127.0.0.1go.microsoft.com

127.0.0.1liveupdate.symantec.com

127.0.0.1mast.mcafee.com

127.0.0.1mcafee.com

127.0.0.1media.fastclick.net

127.0.0.1msdn.microsoft.com

127.0.0.1my-etrust.com

127.0.0.1nai.com

127.0.0.1networkassociates.com

127.0.0.1office.microsoft.com

127.0.0.1phx.corporate-ir.net

127.0.0.1secure.nai.com

127.0.0.1securityresponse.symantec.com

127.0.0.1service1.symantec.com

127.0.0.1sophos.com

127.0.0.1spd.atdmt.com

127.0.0.1support.microsoft.com

127.0.0.1symantec.com

127.0.0.1update.symantec.com

127.0.0.1updates.symantec.com

127.0.0.1us.mcafee.com

127.0.0.1vil.nai.com

127.0.0.1viruslist.ru

127.0.0.1windowsupdate.microsoft.com

127.0.0.1www.avp.ch

127.0.0.1www.avp.com

127.0.0.1www.avp.ru

127.0.0.1www.awaps.net

127.0.0.1www.ca.com

127.0.0.1www.fastclick.net

127.0.0.1www.f-secure.com

127.0.0.1www.kaspersky.ru

127.0.0.1www.mcafee.com

127.0.0.1www.my-etrust.com

127.0.0.1www.nai.com

127.0.0.1www.networkassociates.com

127.0.0.1www.sophos.com

127.0.0.1www.symantec.com

127.0.0.1www.trendmicro.com

127.0.0.1www.viruslist.ru

127.0.0.1www3.ca.com

d.从如下扩展名的文件中收集邮件地址：TBB、tbb、TBI、tbi、DBX、dbx、HTM、htm、TXT、txt，向收集到的地址发送邮件。

发送时，会避免向如下字符串的地址发送邮件：

winzip

winrar

webmaster@

update

unix

support@

support

spam

sopho

samples

root@

rating@

postmaster@

pgp

panda

ntivi

noreply

noone@

nobody@

news

netadmin@

local

listserv

linux

kasp

info@

icrosoft

hostmaster@

help@

google

gold-certs@

gold-

free-av

feste

f-secur

contract@

contact@

certs@

certific

cafee

bugs@

bsd

anyone@

all@

administrator@

admin

abuse

@microsoft

@messagelab

@iana

@foo

@avp

e.向上一步收集到的邮件地址发信，

信的标题可能为如下之一：

Att

Allert!

re:order

re:please

re:Andrey

Vasia

text

Warning

Administrator

bestregards

waiting

attach

attachments

Amirecans

Russian"s

Hello

Haveaniceday

office

Money

contract

toxic

urgent

Readthis

pleaseresponce

ASAP

信的内容可能为如下之一：

Hi

DidyougetthepreviousdocumentIattachedforyou?

Iresentitinthisemailjustincase,becauseI

reallyneedyoutocheckitoutasap.

BestRegards

Hi

Imadeamistakeandforgottoclickattach

onthepreviousemailIsentyou.Pleasegiveme

youropiniononthisopportunitywhenyougetachance.

BestRegards

Hi

Iwassupposedtosendyouthisdocumentyesterday.

Sorryforthedelay,pleaseforwardthistoyourfamilyifpossible.

Itcontainsimportantinfoforbothofyou.

Hi

Sorry,Iforgottosendanimportant

documenttoyouinthatlastemail.Ihadanimportantphonecall.

Pleasecheckoutattacheddocfilewhenyouhaveamoment.

BestRegards

Hi

IwasinarushandIforgottoattachanimportant

document.Pleaseseeattacheddocfile.

BestRegards,

Sorrytobotheryou,butIamhavingaproblemreceivingyouremails.

Iamrespondingtoyourlastemailintheattachedfile.

Pleasegetbacktomeifthereisanyproblemreadingtheattachment.

Iamrespondingtoyourlastemailintheattachedfile.

Ihadadeliveryproblemwithyourinbox,somaybeyou"llreceivethis

now.

CanyoupleasecheckouttheemailIhaveattached?

Forsomereason,Ireceivedonlypartofyourlastseveralemails.

Iwanttomakesurethattherearenoproblemswitheitherofour

accounts.

Thisemailisbeingsentasattachmentbecause

itwaspreviouslyblockedbyyouremailfilters.

Pleaseviewtheattachmentandrespond.

Thanks

Iresentthisemailasattachmentbecause

itwaspreviouslyblockedbyyouremailfilters.

Pleasereadtheattachmentandrespond.

Thanks

Iapologize,butIneedyoutoverify

thatIhavethecorrectcontactinfoforyou.

Mysystemcrashedlastweekendand

Ilostmostofmyfriendsandworkcontacts.

Pleasechecktheattached(.pdf)and

pleaseletmeknowifyourinfoiscurrent.

Mylastemailtoyouwasreturned.

ThereasonisthatIamnotcurrently

addedtoyourallowedcontactlist.

Pleaseaddmyupdatedcontactinfo

providedintheattached(.pdf)file

soIcansendyouemailsinthefuture.

Sincerely

Ihaveupdatedmyemailaddress

Seethe(.pdf)fileattachedand

pleaserespondifyouhaveanyquestions.

Wehavemaderecentupdatestoourdatabase.

Pleaseverifyyourmailingaddressonfileiscorrect.

Wehaveattacheda(.pdf)sheetforyoutouseforyourresponse.

Hello

Ourcontactinformationhaschanged.

Seetheattached(.pdf)sheetfordetails.

Sincerely,

***URGENT:SERVICESHUTDOWNNOTICE***

Duetoyourfailuretocomplywithouremail

RulesandRegulations,youremailaccounthasbeen

temporarilysuspendedfor24hoursunlesswearecontactedregarding

thissituation.

Youmustreadtheattacheddocumentforfurther

instructions.Failuretocomplywillresultinterminationofyour

account.

Regards,

NetOperator

***URGENT:SERVICESHUTDOWNNOTICE***

***ATTENTION:YOUREMAILISNOTBEINGDELIVERED!***

Youarecurrentlyunabletosendemails.

Thismaybeabillingissue.

Pleasecallthebillingcenter.

The#forthebillingofficeislocatedintheattached

contactlistforyourconvenience.

***ATTENTION:YOUREMAILISNOTBEINGDELIVERED!***

***YOURMESSAGEHASBEENRECOGNIZEDASSPAM***

Hello,

Thepreviousemailyousenthasbeenrecognizedasspam.

Thismeansyouremailwasnotdeliveredtoyourfriendorclient.

Youmustopentheattachedfiletoreceivemoreinformation.

***YOURMESSAGEHASBEENRECOGNIZEDASSPAM***

Hello,

Whatversionofwindowsyouareusing?

ThislastdocumentIreceivedfromyoucameoutweird.

Pleaseseetheattachedwordfileandresendthefiletome.

Manythanks,

User

Hello,

MyPCcrashedwhileIwassendingthatlastemail.

Ihavere-attachedthedocumentofyoursthatIdiscovered.

PleasereadattacheddocumentandrespondASAP.

Sincerely,

User

Hello,

YouremailwassentinanINVALIDformat.

Toverifythisemailwassentfromyou,

simplyopentheattachedemail(.eml)file

andclickyesinthesenderoptionsbox.

ThankYou,

User

Hello,

Youremailwasreceived.

YOURREPLYISURGENT!

Pleaseviewtheattachedtextfileforinstructions.

Regards,

User

Hello,

IwasinahurryandIforgottoattachanimportant

document.Pleaseseeattached.

BestRegards,

User

Hello,

Iresentthisemailasattachmentbecause

itwaspreviouslyblockedbyyouremailfilters.

Pleasereadtheattachmentandrespond.

Thanks,User

Hello,

Sorry,Iforgottoattachthenewcontactinformation.

Pleaseviewtheattached(.pdf)contactsheet.

Sincerely,

User

信的附件名可能为如下名称之一（这些文件在发送时会在%System%目录生成）：

backup.zip

admin.zip

archivator.zip

about.zip

readme.zip

help.zip

photos.zip

payment.zip

archives.zip

manual.zip

inbox.zip

outbox.zip

save.zip

rar.zip

zip.zip

ataches.zip

documentation.zip

docs.zip

backup.doc.exe

admin.doc.exe

archivator.doc.exe

about.doc.exe

readme.doc.exe

help.doc.exe

photos.doc.exe

payment.doc.exe

archives.doc.exe

manual.doc.exe

inbox.doc.exe

outbox.doc.exe

save.doc.exe

rar.doc.exe

zip.doc.exe

ataches.doc.exe

documentation.doc.exe

docs.doc.exe

sysboot.doc.exe

• ·Win32.Troj.SBackdoor.10
• ·Win32.Hack.MSNDetonati
• ·VBS.Asank.b
• ·Worm.Sasser.c
• ·Win32.Troj.StartPage.nk
• ·Win32.Troj.FakeTCPIPSev
• ·Win32.Hack.PowerSpider.
• ·Win32.Hack.Singu.x
• ·DOS.Bad_Eddie
• ·DOS.Bad_Eddie