Worm.Beagle.fr

病毒名称(中文):

病毒别名:

威胁级别:

★☆☆☆☆

病毒类型:

蠕虫病毒

病毒长度:

887432

影响系统:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

这是一种通过邮件传播的蠕虫病毒，该病毒搜索被感染机器上的邮件地址把自己的拷贝发送出去，并且会尝试在局域网共享内传播，对于网络带来很大的附带。

1.生成文件:

%System%\win32lib.exe

2.添加注册表起始项,使病毒开机运行:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

win_shell

win32lib.exe

3.新建注册表项:

SOFTWARE\Windows_Shell

4.搜索被感染机器上的一下文件,查找邮件地址:

wab

txt

msg

htm

shtm

stm

xml

dbx

mbx

mdx

eml

nch

mmf

ods

cfg

asp

php

pl

wsh

adb

tbb

sht

xls

oft

uin

cgi

mht

dhtm

jsp

5.不向含有以下字符的邮件地址发送邮件:

@hotmail

@msn

@microsoft

rating@

f-secur

news

update

anyone@

bugs@

contract@

feste

gold-certs@

help@

info@

nobody@

noone@

kasp

admin

icrosoft

support

ntivi

unix

bsd

linux

listserv

certific

sopho

@foo

@iana

free-av

@messagelab

winzip

google

winrar

samples

abuse

panda

cafee

spam

pgp

@avp.

noreply

local

root@

postmaster@

6.发送邮件:

邮件主题:

Payyourdebtsbeforewecometoyou

Calltoyourlawerimmidiately

Lawsuitagainstyou

Wewaityourresponse.

邮件内容:

"LAWSUITAGAINSTYOU(ATTACHMENTHASMOREINFORMATION)1550PeachtreeStreetAtlanta,GA30309

To[REMOVED]gmentthatIcangetagainstEquifaxforviolationoftheFairCreditReportingActandDefamation."

"LAWSUITAGAINSTYOU(CLICKTOATTACHEDDOCUMENTFORMOREINFORMATION)ToWhomItMayConcern:

On[REMOVED]incaseyourefusetoacceptthecertifiedmail,returnreceiptrequestedversionofthisletter."

"LAWSUITAGAINSTYOU(CLICKTOATTACHEDDOCUMENTFORMOREINFORMATION)

Tucker"sFix-It-QuickGara[REMOVED]gthedayat555-2857orintheeveningsuntil10p.m.at555-8967.

Sincerely,

MarshaRizzoli"

邮件的附件名是以下随即一个:

lawsuit.exe

explanation.exe

documents.exe

并且在邮件的末尾加上字符迷惑邮件接收者:

++++Attachment:NoVirusfound

++++NortonAntiVirus-www.symantec.com

• ·Win32.Hack.PoeBot.c
• ·Win32.Troj.IEMain
• ·Win32.Troj.QQMsgBook.ib
• ·Win32.Hack.Eterok.a
• ·Win32.Hack.Zyklobot.c
• ·Win32.Troj.Yabe.c
• ·Win32.Troj.Downloader.i
• ·Win32.Troj.ADLoad.fg
• ·Worm.Antinny.m
• ·Win32.Troj.KillDisk.z