Worm.Bagz.b

病毒名称(中文):

袋子变种B

病毒别名:

I-Worm.Bagz.b[AVP],I-Worm/Bagz.b[KV]

威胁级别:

★★☆☆☆

病毒类型:

蠕虫病毒

病毒长度:

36861

影响系统:

Win9xWinNT

病毒行为:

这是一个通过电子邮件传播的蠕虫病毒。该病毒会关闭Windows防火墙，从网络上下载文件并执行，从.txt、.htm、.dbx、.tbi、.tbb文件中收集邮件地址保存在一个临时文件中，再将病毒做为邮件附件发送到这些邮件接收者。该病毒发送的邮件带有较大的欺骗性，用户可能会受骗去打开里面的附件，从而导致系统感染该蠕虫病毒。

1)将病毒的副本拷贝到%System%\tutorial.doc<空格>.exe

2)建立文件%System%\dl.exe和%System%\syslogin.exe

3)在注册表中添加启动项：

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

"syslogin.exe"="syslogin.exe"

4)禁止Windows防火墙

5)从网络上下载文件并执行

6)将收集到的邮件地址、本地机器IP地址和邮件网关存放到下列3个临时文件中：

%System%\jobdb.dll

%System%\ipdb.dll

%System%\wdate.dll

7)从以下扩展名的文件中收集邮件地址：

.txt

.htm

.dbx

.tbi

.tbb

8)邮件：

From:[伪造的发信人]

Subject:[邮件主题]

Message:[正文]

Attachment:[附件名]

邮件主题列表：

Re:UserIDUpdate

Fwd:YourFundsareEligibleforWithdrawal

findasolutionwiththiscustomer

NoSubject

Re:HelpDeskRegistration

failurenotice

Fwd:Password

whenshouldicallyou?

RE:Re:Aquestion

KnowledgeBaseArticle

OpenInvoices

Returnedmail:seetranscriptfordetails

buildingmaintenance

[Fwd:Brokenlink]

WinXP

troublesarebackagain

Questions

OrderApproval

unitsavailable

progressnews

bigannouncements

Needhelppls

YouhaverecievedaneCard!

Whatisthis????

DeactivationNotice

Messagerecieved,pleaseconfirm

Myfunnystories

CostInquiry

Re:payment

referrences

WebmailInvite

RE:quoterequest

正文列表：

Hello,

Sorry,Iforgottoattachthenewcontactinformation.

Pleaseviewtheattached(.pdf)contactsheet.

Sincerely,

User

Hello,

Iresentthisemailasattachmentbecause

itwaspreviouslyblockedbyyouremailfilters.

Pleasereadtheattachmentandrespond.

Thanks,

User

Hello,

IwasinahurryandIforgottoattachanimportant

document.Pleaseseeattached.

BestRegards,

User

Hello,

Youremailwasreceived.

YOURREPLYISURGENT!

Pleaseviewtheattachedtextfileforinstructions.

Regards,

User

Hello,

YouremailwassentinanINVALIDformat.

Toverifythisemailwassentfromyou,

simplyopentheattachedemail(.eml)file

andclickyesinthesenderoptionsbox.

ThankYou,

User

Hello,

MyPCcrashedwhileIwassendingthatlastemail.

Ihavere-attachedthedocumentofyoursthatIdiscovered.

PleasereadattacheddocumentandrespondASAP.

Sincerely,

User

Hello,

Whatversionofwindowsyouareusing?

ThislastdocumentIreceivedfromyoucameoutweird.

Pleaseseetheattachedwordfileandresendthefiletome.

Manythanks,

User

***YOURMESSAGEHASBEENRECOGNIZEDASSPAM***

Hello,

Thepreviousemailyousenthasbeenrecognizedasspam.

Thismeansyouremailwasnotdeliveredtoyourfriendorclient.

Youmustopentheattachedfiletoreceivemoreinformation.

***YOURMESSAGEHASBEENRECOGNIZEDASSPAM***

***ATTENTION:YOUREMAILISNOTBEINGDELIVERED!***

Youarecurrentlyunabletosendemails.

Thismaybeabillingissue.

Pleasecallthebillingcenter.

The#forthebillingofficeislocatedintheattached

contactlistforyourconvenience.

***ATTENTION:YOUREMAILISNOTBEINGDELIVERED!***

***URGENT:SERVICESHUTDOWNNOTICE***

Duetoyourfailuretocomplywithouremail

RulesandRegulations,youremailaccounthasbeen

temporarilysuspendedfor24hoursunlesswearecontactedregarding

thissituation.

Youmustreadtheattacheddocumentforfurther

instructions.Failuretocomplywillresultinterminationofyouraccount.

Regards,

NetOperator

***URGENT:SERVICESHUTDOWNNOTICE***

lastrequestbeforerefunding

附件名列表：

Ctutorial.doc<空格>.exe

doc.doc<空格>.exe

documents.doc<空格>.exe

atach.doc<空格>.exe

file.doc<空格>.exe

read.doc<空格>.exe

readme.doc<空格>.exe

contact.doc<空格>.exe

mail.doc<空格>.exe

att.doc<空格>.exe

warning.doc<空格>.exe

db.doc<空格>.exe

msg.doc<空格>.exe

message.doc<空格>.exe

messages.doc<空格>.exe

archive.doc<空格>.exe

arch.doc<空格>.exe

support.doc<空格>.exe

account.doc<空格>.exe

doc.zip

documents.zip

atach.zip

file.zip

read.zip

readme.zip

contact.zip

mail.zip

att.zip

warning.zip

db.zip

msg.zip

message.zip

messages.zip

archive.zip

arch.zip

support.zip

account.zip

• ·Worm.MyPhoto
• ·HTML.Mht
• ·Worm.Gone
• ·VBS.Tireg.b
• ·Win32.Hack.Sars
• ·Worm.Cervivec
• ·Worm.Fishlet
• ·Win32.Joke.Mixeur
• ·Worm.Swen
• ·Win32.Hack.Hackarmy.w