病毒名称(中文):
恶鹰变种BF
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
37888
影响系统:
Win9xWinNT
病毒行为:
病毒运行后注入Explorer.exe,阻止用户访问某些网站、阻止用户开启某些服务、移动系统中的文件、更改注册表并从网上下载病毒程序并运行等。
一、病毒运行后
在系统的System32目录下生成winshost.exe和wiwshost.exe
wiwshost.exe注入到Explorer.exe进程中
并在注册表中填加如下一项
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe"-"C:\WINNT\System32\winshost.exe"
二、遍历系统正在运行的进程,并强制关闭下列进程
AVXQUAR.EXE
ESCANHNT.EXE
UPGRADER.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
三、从下列地址下载文件并执行该文件:
http://www.XXXgo.com.pt/osa.gif
http://www.XXXvelourway.com/osa.gif
http://www.XXXaserve.net/osa.gif
http://www.XXXd.dobrcz.pl/osa.gif
http://www.XXXd.at/osa.gif
http://www.XXXld.at/osa.gif
http://www.XXXgsley.ch/osa.gif
http://www.XXXd.at/osa.gif
http://www.XXXis-presley.ch/osa.gif
http://www.XXXyhome.com.tw/osa.gif
http://www.XXXr.cl/osa.gif
http://www.XXXolfibras.com/osa.gif
http://www.XXX4.ee/osa.gif
http://www.XXXc.com/osa.gif
http://www.XXXreme.cz/osa.gif
http://www.XXXzn.cz/osa.gif
http://www.XXXzn.cz/osa.gif
http://www.XXXzn.cz/osa.gif
http://www.XXXntong.net/osa.gif
http://www.XXXpie.com/osa.gif
http://www.XXXie.com/osa.gif
http://www.XXXd.com/osa.gif
http://www.XXXnick-spruyt.be/osa.gif
http://www.XXXadownload.com/osa.gif
http://www.XXXterdays.co.za/osa.gif
http://www.XXXterdays.co.za/osa.gif
http://www.XXXkj.com/osa.gif
http://www.XXXkj.com/osa.gif
http://www.XXXazcd.dp.ua/osa.gif
http://www.XXXdents.stir.ac.uk/osa.gif
http://www.XXXesoftware.com/osa.gif
http://www.XXXtek.co.za/osa.gif
http://www.XXXm.com/osa.gif
http://www.XXXli.sk/osa.gif
http://www.XXXbas.az/osa.gif
http://www.XXXersala.edu.sk/osa.gif
http://www.XXXapex.cz/osa.gif
http://www.XXXptonic.ch/osa.gif
http://www.XXXmarina.com/osa.gif
http://www.XXXink.net/osa.gif
http://www.XXXcoteka-funfactory.com/osa.gif
http://www.XXXssain.be/osa.gif
http://www.XXXs.be/osa.gif
http://www.XXXeters.org/osa.gif
http://www.XXXham.de/osa.gif
http://www.XXXf.de/osa.gif
http://www.XXXz.at/osa.gif
http://www.XXXietaet.de/osa.gif
http://www.XXXm-alliance.de/osa.gif
http://www.XXXc-cassinadepecchi.it/osa.gif
http://www.XXXiverse.sk/osa.gif
http://www.XXXgjuok.com/osa.gif
http://www.XXXtrox.com.tw/osa.gif
http://www.XXXowerchair.com/osa.gif
http://www.XXXripharm.com/osa.gif
http://www.XXXll-cpa.com/osa.gif
http://www.XXX-american.com/osa.gif
http://www.XXXruyssenelektro.be/osa.gif
http://www.XXXtrovestecasa.it/osa.gif
http://www.XXX24h.com/osa.gif
http://www.XXXimeloni.com/osa.gif
http://www.XXXvjiet.ac.in/osa.gif
http://www.XXXe2fateh.com/osa.gif
http://www.XXXketvw.com/osa.gif
http://www.XXXmholz.at/osa.gif
http://www.XXXckonemedia.nl/osa.gif
http://www.XXXomax.fi/osa.gif
http://www.XXXpress-bank.pl/osa.gif
http://www.XXXba.asn.au/osa.gif
http://www.XXXwanjia.com/osa.gif
http://www.XXXwanqing.com/osa.gif
http://www.XXXp.co.za/osa.gif
http://www.XXXomobilonline.de/osa.gif
http://www.XXXgyan.cn/osa.gif
http://www.XXXbuild.com/osa.gif
http://www.XXXle.com.cn/osa.gif
http://www.XXXleclub.com.cn/osa.gif
http://www.XXXleclub.com.cn/osa.gif
http://www.XXXjinyuan.com/osa.gif
http://www.XXXigngong.org/osa.gif
http://www.XXXmegaroy.com/osa.gif
http://www.XXXchcorp.com/osa.gif
http://www.XXXphoto.com/osa.gif
http://www.XXXco.org/osa.gif
http://www.XXXtmajor.ru/osa.gif
http://www.XXXt3.org/osa.gif
http://www.XXXsolutions.com/osa.gif
http://www.XXXcium.biz/osa.gif
http://www.XXXedcom.home.pl/osa.gif
http://www.XXXrit-in-steel.at/osa.gif
http://www.XXXj.az/osa.gif
http://www.XXXt-paulus-bonn.dehtdocs/osa.gif
http://www.XXXtbs.com.hk/osa.gif
http://www.XXXohio.com/osa.gif
http://www.XXXa.com.pe/osa.gif
http://www.XXXsplanet.com/osa.gif
http://www.XXXgodbio.com/osa.gif
http://www.XXXerbetcs.com/osa.gif
http://www.XXXj.vn/osa.gif
http://www.XXXolo.com/osa.gif
http://www.XXXdiheng.com/osa.gif
http://www.XXXria.hu/osa.gif
http://www.XXXternet.hu/osa.gif
http://www.XXXndenservice.be/osa.gif
http://www.XXXhc.hu/osa.gif
http://www.XXXcampus.net/osa.gif
http://www.XXXtentproject.com/osa.gif
http://www.XXXtivalteatrooccidente.com/osa.gif
http://www.XXXhni.com.cn/osa.gif
http://www.XXXtivalteatrooccidente.com/osa.gif
http://www.XXXifast.com/osa.gif
http://www.XXXiventure.com/osa.gif
http://www.XXXi.com.vn/osa.gif
http://www.XXXplayu.com/osa.gif
http://www.XXX-mutan.com/osa.gif
http://www.XXXetexasoutfitter.com/osa.gif
http://www.XXXhcsd1987.friko.pl/osa.gif
http://www.XXXenextstep.tv/osa.gif
http://www.XXXhenextstep.tv/osa.gif
http://www.XXXsartproductions.com/osa.gif
http://www.XXXlsonscountry.com/osa.gif
http://www.XXXindstar.pl/osa.gif
http://www.XXXe-industries.com/osa.gif
http://www.XXXtold.pl/osa.gif
http://www.XXXtold.pl/osa.gif
http://www.XXXhg.net/osa.gif
http://www.XXXovanet.sk/osa.gif
http://www.XXXwombband.com/osa.gif
http://www.XXXtanet.huwww.datanet.hu/osa.gif
http://www.XXXg.hu/osa.gif
http://www.XXXy.com.cn/osa.gif
http://www.XXX-security.de/osa.gif
http://www.XXXe-fliesen.de/osa.gif
http://www.XXXm-invest.com.pl/osa.gif
http://www.XXXlhardtgmbh.de/osa.gif
http://www.XXXhrschule-herb.de/osa.gif
http://www.XXXhrschule-lesser.de/osa.gif
http://www.XXXimex-messzeuge.de/osa.gif
http://www.XXXnside-tgweb.de/osa.gif
http://www.XXXue-bo.com/osa.gif
http://www.XXXniko.de/osa.gif
http://www.XXXikogmbh.com/osa.gif
http://www.XXXenegaderc.com/osa.gif
http://www.XXXchsenbuecher.de/osa.gif
http://www.XXXcvanravenswaaij.nl/osa.gif
http://www.XXXpoden.de/osa.gif
http://www.XXXportnf.com/osa.gif
http://www.XXXweb.cz/osa.gif
http://www.XXXg-sandhausen-basketball.de/osa.gif
http://www.XXXefunkiest.com/osa.gif
http://www.XXXthefunkiest.com/osa.gif
http://www.XXXeoushinn.com/osa.gif
http://www.XXXesley.ch/osa.gif
四、删除下面的文件
mysuperprog.exe
五、更改下面文件的名称
CCSETMGR.EXE改名为C1CSETMGR.EXE
CCEVTMGR.EXE改名为CC1EVTMGR.EXE
NAVAPSVC.EXE改名为NAV1APSVC.EXE
NPFMNTOR.EXE改名为NPFM1NTOR.EXE
symlcsvc.exe改名为s1ymlcsvc.exe
SPBBCSvc.exe改名为SP1BBCSvc.exe
SNDSrvc.exe改名为SND1Srvc.exe
ccApp.exe改名为ccA1pp.exe
ccl30.dll改名为cc1l30.dll
ccvrtrst.dll改名为ccv1rtrst.dll
LUALL.EXE改名为LUAL1L.EXE
AUPDATE.EXE改名为AUPD1ATE.EXE
Luupdate.exe改名为Luup1date.exe
LUINSDLL.DLL改名为LUI1NSDLL.DLL
RuLaunch.exe改名为RuLa1unch.exe
CMGrdian.exe改名为CM1Grdian.exe
Mcshield.exe改名为Mcsh1ield.exe
outpost.exe改名为outp1ost.exe
Avconsol.exe改名为Avc1onsol.exe
Vshwin32.exe改名为Vshw1in32.exe
VsStat.exe改名为Vs1Stat.exe
Avsynmgr.exe改名为Av1synmgr.exe
kavmm.exe改名为kav12mm.exe
Up2Date.exe改名为Up222Date.exe
KAV.exe改名为K2A2V.exe
avgcc.exe改名为avgc3c.exe
avgemc.exe改名为avg23emc.exe
zonealarm.exe改名为zo3nealarm.exe
zatutor.exe改名为zatu6tor.exe
zlavscan.dll改名为zl5avscan.dll
zlclient.exe改名为zlcli6ent.exe
isafe.exe改名为is5a6fe.exe
cafix.exe改名为c6a5fix.exe
vsvault.dll改名为vs6va5ult.dll
av.dll改名为a5v.dll
vetredir.dll改名为ve6tre5dir.dll
六、删除下列注册表值、项:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SymantecNetDriverMonitor"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NAVCfgWiz"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC_UserPrompt"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeGuardian"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfee.InstantUpdate.Monitor"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APVXDWIN"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KAV50"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avg7_cc"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avg7_emc"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneLabsClient"
[HKLM\SOFTWARE\Symantec]
[HKLM\SOFTWARE\McAfee]
[HKLM\SOFTWARE\KasperskyLab]
[HKLM\SOFTWARE\Agnitum]
[HKLM\SOFTWARE\PandaSoftware]
[HKLM\SOFTWARE\ZoneLabs]
七、阻止下列服务:
wuauserv
PAVSRV
PAVFNSVR
PSIMSVC
Pavkre
PavProt
PREVSRV
PavPrSrv
SharedAccess
navapsvc
NPFMntor
OutpostFirewall
SAVScan
SBService
SymantecCoreLC
ccEvtMgr
SNDSrvc
ccPwdSvc
ccSetMgr.exe
SPBBCSvc
KLBLMain
avg7alrt
avg7updsvc
vsmon
CAISafe
avpcc
fsbwsys
backwebclient-4476822
backwebclient-4476822
fsdfwd
F-SecureGatekeeperHandlerStarter
FSMA
KAVMonitorService
navapsvc
NProtectService
NortonAntivirusServer
VexiraAntivirus
dvpinit
dvpapi
schscnt
BackWebClient-7681197
F-SecureGatekeeperHandlerStarter
FSMA
AVPCC
KAVMonitorService
NormanNJeeves
NVCScheduler
nvcoas
NormanZANDA
PASSRV
SweepNet
SWEEPSRV.SYS
NOD32ControlCenter
NOD32Service
PCCPFW
Tmntsrv
AvxIni
XCOMM
ravmon8
SmcService
BlackICE
PersFW
McAfeeFirewall
OutpostFirewall
NWService
alerter
sharedaccess
NISUM
NISSERV
vsmon
nwclnth
nwclntg
nwclnte
nwclntf
nwclntd
nwclntc
wuauserv
navapsvc
SymantecCoreLC
SAVScan
kavsvc
DefWatch
SymantecAntiVirusClient
NSCTOP
SymantecCoreLC
SAVScan
SAVFMSE
ccEvtMgr
navapsvc
ccSetMgr
VisNeticAntiVirusPlug-in
McShield
AlertManger
McAfeeFramework
AVExch32Service
AVUPDService
McTaskManager
NetworkAssociatesLogService
OutbreakManager
MCVSRte
mcupdmgr.exe
AvgServ
AvgCore
AvgFsh
awhost32
AhnlabtaskScheduler
MonSvcNT
V3MonNT
V3MonSvc
FSDFWD
八、阻止访问以下网站地址:
updates1.kaspersky-labs.com
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
ftp.kasperskylab.ru
ftp.avp.ch
www.kaspersky.ru
updates1.kaspersky-labs.com
updates3.kaspersky-labs.com
updates4.kaspersky-labs.com
updates2.kaspersky-labs.com
updates5.kaspersky-labs.com
downloads1.kaspersky-labs.com
www.kaspersky-labs.com
updates3.kaspersky-labs.com
downloads1.kaspersky-labs.com
www3.ca.com
ids.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
update.symantec.com
download.mcafee.com
www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
kaspersky-labs.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
www.trendmicro.com
www.grisoft.com
downloads-us1.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us3.kaspersky-labs.com
ftp.downloads2.kaspersky-labs.com