Worm.Beagle.bf

病毒名称(中文):

恶鹰变种BF

病毒别名:

威胁级别:

★★☆☆☆

病毒类型:

蠕虫病毒

病毒长度:

37888

影响系统:

Win9xWinNT

病毒行为:

病毒运行后注入Explorer.exe，阻止用户访问某些网站、阻止用户开启某些服务、移动系统中的文件、更改注册表并从网上下载病毒程序并运行等。

一、病毒运行后

在系统的System32目录下生成winshost.exe和wiwshost.exe

wiwshost.exe注入到Explorer.exe进程中

并在注册表中填加如下一项

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"winshost.exe"-"C:\WINNT\System32\winshost.exe"

二、遍历系统正在运行的进程，并强制关闭下列进程

AVXQUAR.EXE

ESCANHNT.EXE

UPGRADER.EXE

AVXQUAR.EXE

AVWUPD32.EXE

AVPUPD.EXE

CFIAUDIT.EXE

UPDATE.EXE

NUPGRADE.EXE

MCUPDATE.EXE

ATUPDATER.EXE

AUPDATE.EXE

AUTOTRACE.EXE

AUTOUPDATE.EXE

FIREWALL.EXE

ATUPDATER.EXE

LUALL.EXE

DRWEBUPW.EXE

AUTODOWN.EXE

NUPGRADE.EXE

OUTPOST.EXE

ICSSUPPNT.EXE

ICSUPP95.EXE

ESCANH95.EXE

三、从下列地址下载文件并执行该文件：

http://www.XXXgo.com.pt/osa.gif

http://www.XXXvelourway.com/osa.gif

http://www.XXXaserve.net/osa.gif

http://www.XXXd.dobrcz.pl/osa.gif

http://www.XXXd.at/osa.gif

http://www.XXXld.at/osa.gif

http://www.XXXgsley.ch/osa.gif

http://www.XXXd.at/osa.gif

http://www.XXXis-presley.ch/osa.gif

http://www.XXXyhome.com.tw/osa.gif

http://www.XXXr.cl/osa.gif

http://www.XXXolfibras.com/osa.gif

http://www.XXX4.ee/osa.gif

http://www.XXXc.com/osa.gif

http://www.XXXreme.cz/osa.gif

http://www.XXXzn.cz/osa.gif

http://www.XXXzn.cz/osa.gif

http://www.XXXzn.cz/osa.gif

http://www.XXXntong.net/osa.gif

http://www.XXXpie.com/osa.gif

http://www.XXXie.com/osa.gif

http://www.XXXd.com/osa.gif

http://www.XXXnick-spruyt.be/osa.gif

http://www.XXXadownload.com/osa.gif

http://www.XXXterdays.co.za/osa.gif

http://www.XXXterdays.co.za/osa.gif

http://www.XXXkj.com/osa.gif

http://www.XXXkj.com/osa.gif

http://www.XXXazcd.dp.ua/osa.gif

http://www.XXXdents.stir.ac.uk/osa.gif

http://www.XXXesoftware.com/osa.gif

http://www.XXXtek.co.za/osa.gif

http://www.XXXm.com/osa.gif

http://www.XXXli.sk/osa.gif

http://www.XXXbas.az/osa.gif

http://www.XXXersala.edu.sk/osa.gif

http://www.XXXapex.cz/osa.gif

http://www.XXXptonic.ch/osa.gif

http://www.XXXmarina.com/osa.gif

http://www.XXXink.net/osa.gif

http://www.XXXcoteka-funfactory.com/osa.gif

http://www.XXXssain.be/osa.gif

http://www.XXXs.be/osa.gif

http://www.XXXeters.org/osa.gif

http://www.XXXham.de/osa.gif

http://www.XXXf.de/osa.gif

http://www.XXXz.at/osa.gif

http://www.XXXietaet.de/osa.gif

http://www.XXXm-alliance.de/osa.gif

http://www.XXXc-cassinadepecchi.it/osa.gif

http://www.XXXiverse.sk/osa.gif

http://www.XXXgjuok.com/osa.gif

http://www.XXXtrox.com.tw/osa.gif

http://www.XXXowerchair.com/osa.gif

http://www.XXXripharm.com/osa.gif

http://www.XXXll-cpa.com/osa.gif

http://www.XXX-american.com/osa.gif

http://www.XXXruyssenelektro.be/osa.gif

http://www.XXXtrovestecasa.it/osa.gif

http://www.XXX24h.com/osa.gif

http://www.XXXimeloni.com/osa.gif

http://www.XXXvjiet.ac.in/osa.gif

http://www.XXXe2fateh.com/osa.gif

http://www.XXXketvw.com/osa.gif

http://www.XXXmholz.at/osa.gif

http://www.XXXckonemedia.nl/osa.gif

http://www.XXXomax.fi/osa.gif

http://www.XXXpress-bank.pl/osa.gif

http://www.XXXba.asn.au/osa.gif

http://www.XXXwanjia.com/osa.gif

http://www.XXXwanqing.com/osa.gif

http://www.XXXp.co.za/osa.gif

http://www.XXXomobilonline.de/osa.gif

http://www.XXXgyan.cn/osa.gif

http://www.XXXbuild.com/osa.gif

http://www.XXXle.com.cn/osa.gif

http://www.XXXleclub.com.cn/osa.gif

http://www.XXXleclub.com.cn/osa.gif

http://www.XXXjinyuan.com/osa.gif

http://www.XXXigngong.org/osa.gif

http://www.XXXmegaroy.com/osa.gif

http://www.XXXchcorp.com/osa.gif

http://www.XXXphoto.com/osa.gif

http://www.XXXco.org/osa.gif

http://www.XXXtmajor.ru/osa.gif

http://www.XXXt3.org/osa.gif

http://www.XXXsolutions.com/osa.gif

http://www.XXXcium.biz/osa.gif

http://www.XXXedcom.home.pl/osa.gif

http://www.XXXrit-in-steel.at/osa.gif

http://www.XXXj.az/osa.gif

http://www.XXXt-paulus-bonn.dehtdocs/osa.gif

http://www.XXXtbs.com.hk/osa.gif

http://www.XXXohio.com/osa.gif

http://www.XXXa.com.pe/osa.gif

http://www.XXXsplanet.com/osa.gif

http://www.XXXgodbio.com/osa.gif

http://www.XXXerbetcs.com/osa.gif

http://www.XXXj.vn/osa.gif

http://www.XXXolo.com/osa.gif

http://www.XXXdiheng.com/osa.gif

http://www.XXXria.hu/osa.gif

http://www.XXXternet.hu/osa.gif

http://www.XXXndenservice.be/osa.gif

http://www.XXXhc.hu/osa.gif

http://www.XXXcampus.net/osa.gif

http://www.XXXtentproject.com/osa.gif

http://www.XXXtivalteatrooccidente.com/osa.gif

http://www.XXXhni.com.cn/osa.gif

http://www.XXXtivalteatrooccidente.com/osa.gif

http://www.XXXifast.com/osa.gif

http://www.XXXiventure.com/osa.gif

http://www.XXXi.com.vn/osa.gif

http://www.XXXplayu.com/osa.gif

http://www.XXX-mutan.com/osa.gif

http://www.XXXetexasoutfitter.com/osa.gif

http://www.XXXhcsd1987.friko.pl/osa.gif

http://www.XXXenextstep.tv/osa.gif

http://www.XXXhenextstep.tv/osa.gif

http://www.XXXsartproductions.com/osa.gif

http://www.XXXlsonscountry.com/osa.gif

http://www.XXXindstar.pl/osa.gif

http://www.XXXe-industries.com/osa.gif

http://www.XXXtold.pl/osa.gif

http://www.XXXtold.pl/osa.gif

http://www.XXXhg.net/osa.gif

http://www.XXXovanet.sk/osa.gif

http://www.XXXwombband.com/osa.gif

http://www.XXXtanet.huwww.datanet.hu/osa.gif

http://www.XXXg.hu/osa.gif

http://www.XXXy.com.cn/osa.gif

http://www.XXX-security.de/osa.gif

http://www.XXXe-fliesen.de/osa.gif

http://www.XXXm-invest.com.pl/osa.gif

http://www.XXXlhardtgmbh.de/osa.gif

http://www.XXXhrschule-herb.de/osa.gif

http://www.XXXhrschule-lesser.de/osa.gif

http://www.XXXimex-messzeuge.de/osa.gif

http://www.XXXnside-tgweb.de/osa.gif

http://www.XXXue-bo.com/osa.gif

http://www.XXXniko.de/osa.gif

http://www.XXXikogmbh.com/osa.gif

http://www.XXXenegaderc.com/osa.gif

http://www.XXXchsenbuecher.de/osa.gif

http://www.XXXcvanravenswaaij.nl/osa.gif

http://www.XXXpoden.de/osa.gif

http://www.XXXportnf.com/osa.gif

http://www.XXXweb.cz/osa.gif

http://www.XXXg-sandhausen-basketball.de/osa.gif

http://www.XXXefunkiest.com/osa.gif

http://www.XXXthefunkiest.com/osa.gif

http://www.XXXeoushinn.com/osa.gif

http://www.XXXesley.ch/osa.gif

四、删除下面的文件

mysuperprog.exe

五、更改下面文件的名称

CCSETMGR.EXE改名为C1CSETMGR.EXE

CCEVTMGR.EXE改名为CC1EVTMGR.EXE

NAVAPSVC.EXE改名为NAV1APSVC.EXE

NPFMNTOR.EXE改名为NPFM1NTOR.EXE

symlcsvc.exe改名为s1ymlcsvc.exe

SPBBCSvc.exe改名为SP1BBCSvc.exe

SNDSrvc.exe改名为SND1Srvc.exe

ccApp.exe改名为ccA1pp.exe

ccl30.dll改名为cc1l30.dll

ccvrtrst.dll改名为ccv1rtrst.dll

LUALL.EXE改名为LUAL1L.EXE

AUPDATE.EXE改名为AUPD1ATE.EXE

Luupdate.exe改名为Luup1date.exe

LUINSDLL.DLL改名为LUI1NSDLL.DLL

RuLaunch.exe改名为RuLa1unch.exe

CMGrdian.exe改名为CM1Grdian.exe

Mcshield.exe改名为Mcsh1ield.exe

outpost.exe改名为outp1ost.exe

Avconsol.exe改名为Avc1onsol.exe

Vshwin32.exe改名为Vshw1in32.exe

VsStat.exe改名为Vs1Stat.exe

Avsynmgr.exe改名为Av1synmgr.exe

kavmm.exe改名为kav12mm.exe

Up2Date.exe改名为Up222Date.exe

KAV.exe改名为K2A2V.exe

avgcc.exe改名为avgc3c.exe

avgemc.exe改名为avg23emc.exe

zonealarm.exe改名为zo3nealarm.exe

zatutor.exe改名为zatu6tor.exe

zlavscan.dll改名为zl5avscan.dll

zlclient.exe改名为zlcli6ent.exe

isafe.exe改名为is5a6fe.exe

cafix.exe改名为c6a5fix.exe

vsvault.dll改名为vs6va5ult.dll

av.dll改名为a5v.dll

vetredir.dll改名为ve6tre5dir.dll

六、删除下列注册表值、项：

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SymantecNetDriverMonitor"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccApp"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NAVCfgWiz"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SSC_UserPrompt"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"McAfeeGuardian"

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"McAfee.InstantUpdate.Monitor"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"APVXDWIN"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"KAV50"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avg7_cc"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avg7_emc"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ZoneLabsClient"

[HKLM\SOFTWARE\Symantec]

[HKLM\SOFTWARE\McAfee]

[HKLM\SOFTWARE\KasperskyLab]

[HKLM\SOFTWARE\Agnitum]

[HKLM\SOFTWARE\PandaSoftware]

[HKLM\SOFTWARE\ZoneLabs]

七、阻止下列服务：

wuauserv

PAVSRV

PAVFNSVR

PSIMSVC

Pavkre

PavProt

PREVSRV

PavPrSrv

SharedAccess

navapsvc

NPFMntor

OutpostFirewall

SAVScan

SBService

SymantecCoreLC

ccEvtMgr

SNDSrvc

ccPwdSvc

ccSetMgr.exe

SPBBCSvc

KLBLMain

avg7alrt

avg7updsvc

vsmon

CAISafe

avpcc

fsbwsys

backwebclient-4476822

backwebclient-4476822

fsdfwd

F-SecureGatekeeperHandlerStarter

FSMA

KAVMonitorService

navapsvc

NProtectService

NortonAntivirusServer

VexiraAntivirus

dvpinit

dvpapi

schscnt

BackWebClient-7681197

F-SecureGatekeeperHandlerStarter

FSMA

AVPCC

KAVMonitorService

NormanNJeeves

NVCScheduler

nvcoas

NormanZANDA

PASSRV

SweepNet

SWEEPSRV.SYS

NOD32ControlCenter

NOD32Service

PCCPFW

Tmntsrv

AvxIni

XCOMM

ravmon8

SmcService

BlackICE

PersFW

McAfeeFirewall

OutpostFirewall

NWService

alerter

sharedaccess

NISUM

NISSERV

vsmon

nwclnth

nwclntg

nwclnte

nwclntf

nwclntd

nwclntc

wuauserv

navapsvc

SymantecCoreLC

SAVScan

kavsvc

DefWatch

SymantecAntiVirusClient

NSCTOP

SymantecCoreLC

SAVScan

SAVFMSE

ccEvtMgr

navapsvc

ccSetMgr

VisNeticAntiVirusPlug-in

McShield

AlertManger

McAfeeFramework

AVExch32Service

AVUPDService

McTaskManager

NetworkAssociatesLogService

OutbreakManager

MCVSRte

mcupdmgr.exe

AvgServ

AvgCore

AvgFsh

awhost32

AhnlabtaskScheduler

MonSvcNT

V3MonNT

V3MonSvc

FSDFWD

八、阻止访问以下网站地址：

updates1.kaspersky-labs.com

ad.doubleclick.net

ad.fastclick.net

ads.fastclick.net

ar.atwola.com

atdmt.com

avp.ch

avp.com

avp.ru

awaps.net

banner.fastclick.net

banners.fastclick.net

ca.com

click.atdmt.com

clicks.atdmt.com

dispatch.mcafee.com

download.mcafee.com

download.microsoft.com

downloads.microsoft.com

engine.awaps.net

fastclick.net

f-secure.com

ftp.f-secure.com

ftp.sophos.com

go.microsoft.com

liveupdate.symantec.com

mast.mcafee.com

mcafee.com

media.fastclick.net

msdn.microsoft.com

my-etrust.com

nai.com

networkassociates.com

office.microsoft.com

phx.corporate-ir.net

secure.nai.com

securityresponse.symantec.com

service1.symantec.com

sophos.com

spd.atdmt.com

support.microsoft.com

symantec.com

update.symantec.com

updates.symantec.com

us.mcafee.com

vil.nai.com

viruslist.ru

windowsupdate.microsoft.com

www.avp.ch

www.avp.com

www.avp.ru

www.awaps.net

www.ca.com

www.fastclick.net

www.f-secure.com

www.kaspersky.ru

www.mcafee.com

www.my-etrust.com

www.nai.com

www.networkassociates.com

www.sophos.com

www.symantec.com

www.trendmicro.com

www.viruslist.ru

ftp.kasperskylab.ru

ftp.avp.ch

www.kaspersky.ru

updates1.kaspersky-labs.com

updates3.kaspersky-labs.com

updates4.kaspersky-labs.com

updates2.kaspersky-labs.com

updates5.kaspersky-labs.com

downloads1.kaspersky-labs.com

www.kaspersky-labs.com

updates3.kaspersky-labs.com

downloads1.kaspersky-labs.com

www3.ca.com

ids.kaspersky-labs.com

downloads2.kaspersky-labs.com

downloads1.kaspersky-labs.com

downloads3.kaspersky-labs.com

downloads4.kaspersky-labs.com

liveupdate.symantecliveupdate.com

liveupdate.symantec.com

update.symantec.com

download.mcafee.com

www.symantec.com

securityresponse.symantec.com

symantec.com

www.sophos.com

sophos.com

www.mcafee.com

mcafee.com

liveupdate.symantecliveupdate.com

www.viruslist.com

viruslist.com

f-secure.com

www.f-secure.com

kaspersky.com

kaspersky-labs.com

www.avp.com

www.kaspersky.com

avp.com

www.networkassociates.com

networkassociates.com

www.ca.com

ca.com

mast.mcafee.com

my-etrust.com

www.my-etrust.com

download.mcafee.com

dispatch.mcafee.com

secure.nai.com

nai.com

www.nai.com

update.symantec.com

updates.symantec.com

us.mcafee.com

liveupdate.symantec.com

customer.symantec.com

rads.mcafee.com

trendmicro.com

www.trendmicro.com

www.grisoft.com

downloads-us1.kaspersky-labs.com

downloads-us2.kaspersky-labs.com

downloads-us3.kaspersky-labs.com

ftp.downloads2.kaspersky-labs.com

• ·Worm.Delf.o
• ·Worm.Infoberl.b
• ·Worm.Delf.p
• ·Worm.Randex.p
• ·Worm.Champions.a
• ·Win32.Troj.Dahua.k
• ·Worm.CWS.a
• ·VBS.Lee.cm
• ·Worm.Activated
• ·Win32.Hack.MobileBomber