Worm.Beagle.fi

病毒名称(中文):

病毒别名:

威胁级别:

★☆☆☆☆

病毒类型:

蠕虫病毒

病毒长度:

69842

影响系统:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

这是一种通过邮件传播的蠕虫病毒，该病毒搜索被感染机器上的邮件地址把自己的拷贝发送出去，并且会尝试下载新病毒变种。该病毒并且会生成驱动保护病毒，删除大量的注册表项，使被感染的机器无法进入安全模式。

1。生成文件:

%ApplicationData%\hidn\hidn.exe

%ApplicationData%\hidn\m_hook.sys

C:\error.gif

2.当病毒第一次运行的时候会生成一下键值:

HKCU\Software\FirstRuxzx

FirstRun

3.起始项里面添加以下内容:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

drv_st_key

4.尝试连接smtp.google.com判定网络是否连通。

5.尝试下载以下文件:

http://www.titanmotors.com/images/1/eml.php

http://veranmaisala.com/1/eml.php

http://wklight.nazwa.pl/1/eml.php

http://yongsan24.co.kr/1/eml.php

http://accesible.cl/1/eml.php

http://hotelesalba.com/1/eml.php

http://amdlady.com/1/eml.php

http://inca.dnetsolution.net/1/eml.php

http://www.auraura.com/1/eml.php

http://avataresgratis.com/1/eml.php

http://beyoglu.com.tr/1/eml.php

http://brandshock.com/1/eml.php

http://www.buydigital.co.kr/1/eml.php

http://camaramafra.sc.gov.br/1/eml.php

http://camposequipamentos.com.br/1/eml.php

http://cbradio.sos.pl/1/eml.php

http://c-d-c.com.au/1/eml.php

http://www.klanpl.com/1/eml.php

http://coparefrescos.stantonstreetgroup.com/1/eml.php

http://creainspire.com/1/eml.php

http://desenjoi.com.br/1/eml.php

http://www.inprofile.gr/1/eml.php

http://www.diem.cl/1/eml.php

http://www.discotecapuzzle.com/1/eml.php

http://ujscie.one.pl/777.gif

http://1point2.iae.nl/777.gif

http://appaloosa.no/777.gif

http://apromed.com/777.gif

http://arborfolia.com/777.gif

http://pawlacz.com/777.gif

http://areal-realt.ru/777.gif

http://bitel.ru/777.gif

http://yetii.no-ip.com/777.gif

http://art4u1.superhost.pl/777.gif

http://www.artbed.pl/777.gif

http://art-bizar.foxnet.pl/777.gif

http://www.jonogueira.com/777.gif

http://asdesign.cz/777.gif

http://ftp-dom.earthlink.net/777.gif

http://www.aureaorodeley.com/777.gif

http://www.autoekb.ru/777.gif

http://www.autovorota.ru/777.gif

http://avenue.ee/777.gif

http://www.avinpharma.ru/777.gif

http://ouarzazateservices.com/777.gif

http://stats-adf.altadis.com/777.gif

http://bartex-cit.com.pl/777.gif

http://bazarbekr.sk/777.gif

http://gnu.univ.gda.pl/777.gif

http://bid-usa.com/777.gif

http://biliskov.com/777.gif

http://biomedpel.cz/777.gif

http://blackbull.cz/777.gif

http://bohuminsko.cz/777.gif

http://bonsai-world.com.au/777.gif

http://bpsbillboards.com/777.gif

http://cadinformatics.com/777.gif

http://canecaecia.com/777.gif

http://www.castnetnultimedia.com/777.gif

http://compucel.com/777.gif

http://continentalcarbonindia.com/777.gif

http://ceramax.co.kr/777.gif

http://prime.gushi.org/777.gif

http://www.chapisteriadaniel.com/777.gif

http://charlesspaans.com/777.gif

http://chatsk.wz.cz/777.gif

http://www.chittychat.com/777.gif

http://checkalertusa.com/777.gif

http://cibernegocios.com.ar/777.gif

http://5050clothing.com/777.gif

http://cof666.shockonline.net/777.gif

http://comaxtechnologies.net/777.gif

http://concellodesandias.com/777.gif

http://www.cort.ru/777.gif

http://donchef.com/777.gif

http://www.crfj.com/777.gif

http://kremz.ru/777.gif

http://dev.jintek.com/777.gif

http://foxvcoin.com/777.gif

http://uwua132.org/777.gif

http://v-v-kopretiny.ic.cz/777.gif

http://erich-kaestner-schule-donaueschingen.de/777.gif

http://vanvakfi.com/777.gif

http://axelero.hu/777.gif

http://kisalfold.com/777.gif

http://vega-sps.com/777.gif

http://vidus.ru/777.gif

http://viralstrategies.com/777.gif

http://svatba.viskot.cz/777.gif

http://Vivamodelhobby.com/777.gif

http://vkinfotech.com/777.gif

http://vytukas.com/777.gif

http://waisenhaus-kenya.ch/777.gif

http://watsrisuphan.org/777.gif

http://www.ag.ohio-state.edu/777.gif

http://wbecanada.com/777.gif

http://calamarco.com/777.gif

http://vproinc.com/777.gif

http://grupdogus.de/777.gif

http://knickimbit.de/777.gif

http://dogoodesign.ch/777.gif

http://systemforex.de/777.gif

http://zebrachina.net/777.gif

http://www.walsch.de/777.gif

http://hotchillishop.de/777.gif

http://innovation.ojom.net/777.gif

http://massgroup.de/777.gif

http://web-comp.hu/777.gif

http://webfull.com/777.gif

http://welvo.com/777.gif

http://www.ag.ohio-state.edu/777.gif

http://poliklinika-vajnorska.sk/777.gif

http://wvpilots.org/777.gif

http://www.kersten.de/777.gif

http://www.kljbwadersloh.de/777.gif

http://www.voov.de/777.gif

http://www.wchat.cz/777.gif

http://www.wg-aufbau-bautzen.de/777.gif

http://www.wzhuate.com/777.gif

http://zsnabreznaknm.sk/777.gif

http://xotravel.ru/777.gif

http://ilikesimple.com/777.gif

http://yeniguntugla.com/777.gif

6.结束以下进程:

"ashAvast.exe"

"ashDisp.exe"

"ashEnhcd.exe"

"ashPopWz.exe"

"ashSimpl.exe"

"ashSkPck.exe"

"ashWebSv.exe"

"AUPDATE.EXE"

"Avconsol.exe"

"avgcc.exe"

"avgemc.exe"

"AVGNT.EXE"

"AVSCHED32.EXE"

"Avsynmgr.exe"

"AVWUPD32.EXE"

"bdmcon.exe"

"bdnews.exe"

"bdsubmit.exe"

"bdswitch.exe"

"cafix.exe"

"ccApp.exe"

"CCEVTMGR.EXE"

"CCSETMGR.EXE"

"ClamTray.exe"

"ClamWin.exe"

"CMGrdian.exe"

"drwadins.exe"

"drweb32w.exe"

"drwebscd.exe"

"drwebupw.exe"

"freshclam.exe"

"GUARDGUI.EXE"

"GuardNT.exe"

"INETUPD.EXE"

"InocIT.exe"

"InoUpTNG.exe"

"isafe.exe"

"KAV.exe"

"kavmm.exe"

"KAVPF.exe"

"LUALL.EXE"

"Luupdate.exe"

"Mcshield.exe"

"NAVAPSVC.EXE"

"nod32.exe"

"nod32kui.exe"

"NPFMNTOR.EXE"

"npfmsg.exe"

"Nvcod.exe"

"Nvcte.exe"

"Nvcut.exe"

"outpost.exe"

"pccguide.exe"

"PcCtlCom.exe"

"QHPF.EXE"

"Realmon.exe"

"regedit.exe"

"regedt32.exe"

"RuLaunch.exe"

"SNDSrvc.exe"

"SPBBCSvc.exe"

"spiderml.exe"

"symlcsvc.exe"

"Tmntsrv.exe"

"TmPfw.exe"

"tmproxy.exe"

"Up2Date.exe"

"upgrepl.exe"

"Vba32ECM.exe"

"Vba32ifs.exe"

"vba32ldr.exe"

"Vba32PP3.exe"

"Vshwin32.exe"

"VsStat.exe"

"zatutor.exe"

"zlclient.exe"

"zonealarm.exe"

"guardnt.sys"

"filtnt.sys"

avsvc.exe

bdmcon.exe

vsserv.exe

bdnews.exe

livesrv.exe

mcupdate.exe

frameworkservice.exe

upgrader.exe

apvxdwin.exe

LuComServer_2_5.EXE

lucomserver_2_6.exe

drwebupw.exe

nod32krn.exe

7.在被感染的机器上搜索以下的文件格式，查找邮件地址:

.wab

.txt

.msg

.htm

.shtm

.stm

.xml

.dbx

.mbx

.mdx

.eml

.nch

.mmf

.ods

.cfg

.asp

.php

.pl

.wsh

.adb

.tbb

.sht

.xls

.oft

.uin

.cgi

.mht

.dhtm

.jsp

8.不向含有以下字符的邮件地址发送邮件:

@hotmail

@msn

@microsoft

rating@

f-secur

news

update

anyone@

bugs@

contract@

feste

gold-certs@

help@

info@

nobody@

noone@

kasp

admin

icrosoft

support

ntivi

unix

bsd

linux

listserv

certific

sopho

@foo

@iana

free-av

@messagelab

winzip

google

winrar

samples

abuse

panda

cafee

spam

pgp

@avp.

noreply

local

root@

postmaster@

• ·Win32.Troj.Adloader
• ·Win32.Troj.Downloader.l
• ·Worm.Sixem.a
• ·Win32.Troj.KeyLogger.dx
• ·Win32.Troj.NetPig.ee
• ·Win32.QQTran.ee
• ·Worm.InfoSteal
• ·Win32.Troj.QQMsgBook.r
• ·Win32.Hack.Huigezi.bv
• ·Win32.Troj.Loadear.j