Worm.Bagz.c
病毒别名:
处理时间:
威胁级别:★★
中文名称:袋子
病毒类型:蠕虫
影响系统:Win9x / WinNT
病毒行为:
该病毒通过邮件传播,它通过自身的发信模块发送信件,信件的标题、内容和附件名都是可变的,附件是一个扩展名为exe或zip的文件。
该病毒还会修改本地hosts文件,使用户访问不了包括各大杀毒软件厂商网站在内的站点及微软公司的技术支持站点,无法更新安全程序。
另外,该病毒还会禁止一些安全软件的执行。
a.病毒启动后会创建如下文件:
%system%
pc32.exe
%system%
un32.exe
%system%sysboot.doc .exe
b.向系统中添加一个服务:
服务名称:RPC32
显示名称:Network Explorer
描述:Starts and configures accessibility tools from one window
可执行文件路径:%system%
pc32.exe
c.病毒会删除包含如下文件的服务、注册表项。以达到阻止防病毒软件等安全软件启动的目的。
mpfagent.exe
mpfconsole.exe
mpfservice.exe
mpftray.exe
mpfui.dll
mpfupdchk.dll
mpfwizard.exe
mvtx.exe
dunzip32.dll
mcappins.exe
mcinfo.exe
mghtml.exe
804mbd1.chk
804mbd1.img
appinit.ini
ashldres.dll
edisk.dll
emscnres.dll
ftscnres.dll
imscnbin.inf
imscnres.inf
mcavtsub.dll
mcmnhdlr.exe
mcscan32.dll
mcshield.exe
mcurial.dll
mcvsctl.dll
mcvsescn.exe
mcvsftsn.exe
mcvsmap.exe
mcvsrte.exe
mcvsscrp.dll
mcvsshl.dll
mcvsshld.exe
mcvsskt.dll
mcvsworm.dll
naiann.dll
naievent.dll
ntclient.dll
outscan.dll
outscres.dll
patchw32.dll
scan.dat
scanserv.dll
scrpres.dll
scrpsbin.inf
scrstres.inf
shextbin.inf
shextres.inf
shlres.dll
vsagntui.dll
mcshield.dll
vsoui.dll
vsoupd.dll
vsowow.dll
wormres.dll
alert.zap
email.zap
filter.zap
firewall.zap
framewrk.dll
idlock.zap
programs.zap
security.zap
tutorwiz.dll
zatutor.exe
zauninst.exe
zav.zap
zlclient.exe
zl_priv.htm
zonealarm.exe
camupd.dll
cerbprovider.pvx
ssleay32.dll
vsavpro.dll
vsdb.dll
vsmon.exe
vsruledb.dll
vsvault.dll
zlparser.dll
aboutplg.dll
apwcmdnt.dll
apwutil.dll
avcompbr.dll
avres.dll
bootwarn.exe
ccavmail.dll
ccimscan.dll
ccimscn.exe
cfgwiz.exe
cfgwzres.dll
defalert.dll
djsalert.dll
ltchkres.dll
n32call.dll
n32exclu.dll
navap32.dll
navapscr.dll
navapsvc.exe
navapw32.dll
navapw32.exe
navcfgwz.dll
navcomui.dll
naverror.dll
navevent.dll
navlcom.dll
navlnch.dll
navlogv.dll
navlucbk.dll
navntutl.dll
navoptrf.dll
navopts.dll
navprod.dll
navshext.dll
navstats.dll
navstub.exe
navtasks.dll
navtskwz.dll
navui.dll
navui.nsi
navuihtm.dll
navw32.exe
navwnt.exe
netbrext.dll
oeheur.dll
officeav.dll
opscan.exe
patch25d.dll
probegse.dll
ptchinst.dll
qconres.dll
qconsole.exe
qspak32.dll
quar32.dll
quarantine
quaropts.dat
s32integ.dll
s32navo.dll
savrt.sys
savrt32.dll
savrtpel.sys
savscan.exe
scandlvr.dll
scandres.dll
scanmgr.dll
scriptui.dll
sdpck32i.dll
sdsnd32i.dll
sdsok32i.dll
sdstp32i.dll
statushp.dll
symnavo.dll
ashavast.exe
ashbug.exe
ashchest.exe
ashdisp.exe
ashlogv.exe
ashmaisv.exe
ashpopwz.exe
ashquick.exe
ashserv.exe
ashsimpl.exe
ashskpcc.exe
ashskpck.exe
aswboot.exe
aswregsvr.exe
aswupdsv.exe
sched.exe
persfw.exe
pfwadmin.exe
d.向用户的hosts文件中添加如下项目,导致用户无法访问一些安全站点,并阻止一些安全软件的更新
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 engine.awaps.net
127.0.0.1 fastclick.net
127.0.0.1 f-secure.com
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 go.microsoft.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www3.ca.com
e.从如下扩展名的文件中收集邮件地址:TBB、tbb、TBI、tbi、DBX、dbx、HTM、htm、TXT、txt,向收集到的地址发送邮件。
发送时,会避免向如下字符串的地址发送邮件:
winzip
winrar
webmaster@
update
unix
support@
support
spam
sopho
samples
root@
rating@
postmaster@
pgp
panda
ntivi
noreply
noone@
nobody@
news
netadmin@
local
listserv
linux
kasp
info@
icrosoft
hostmaster@
help@
gold-certs@
gold-
free-av
feste
f-secur
contract@
contact@
certs@
certific
cafee
bugs@
bsd
anyone@
all@
administrator@
admin
abuse
@microsoft
@messagelab
@iana
@foo
@avp
f.向上一步收集到的邮件地址发信,
信的标题可能为如下之一:
Att
Allert!
re: order
re: please
re: Andrey
Vasia
text
Warning
Administrator
best regards
waiting
attach
attachments
Amirecans
Russian's
Hello
Have a nice day
office
Money
contract
toxic
urgent
Read this
please responce
ASAP
信的内容可能为如下之一:
Hi
Did you get the previous document I attached for you?
I resent it in this email just in case, because I
really need you to check it out asap.
Best Regards
Hi
I made a mistake and forgot to click attach
on the previous email I sent you. Please give me
your opinion on this opportunity when you get a chance.
Best Regards
Hi
I was supposed to send you this document yesterday.
Sorry for the delay, please forward this to your family if possible.
It contains important info for both of you.
Hi
Sorry, I forgot to send an important
document to you in that last email. I had an important phone call.
Please checkout attached doc file when you have a moment.
Best Regards
Hi
I was in a rush and I forgot to attach an important
document. Please see attached doc file.
Best Regards,
Sorry to bother you, but I am having a problem receiving your emails.
I am responding to your last email in the attached file.
Please get back to me if there is any problem reading the attachment.
I am responding to your last email in the attached file.
I had a delivery problem with your inbox, so maybe you'll receive this
now.
Can you please check out the email I have attached?
For some reason, I received only part of your last several emails.
I want to make sure that there are no problems with either of our
accounts.
This email is being sent as attachment because
it was previously blocked by your email filters.
Please view the attachment and respond.
Thanks
I resent this email as attachment because
it was previously blocked by your email filters.
Please read the attachment and respond.
Thanks
I apologize, but I need you to verify
that I have the correct contact info for you.
My system crashed last weekend and
I lost most of my friends and work contacts.
Please check the attached (.pdf) and
please let me know if your info is current.
My last email to you was returned.
The reason is that I am not currently
added to your allowed contact list.
Please add my updated contact info
provided in the attached (.pdf) file
so I can send you emails in the future.
Sincerely
I have updated my email address
See the (.pdf) file attached and
please respond if you have any questions.
We have made recent updates to our database.
Please verify your mailing address on file is correct.
We have attached a (.pdf) sheet for you to use for your response.
Hello
Our contact information has changed.
See the attached (.pdf) sheet for details.
Sincerely,
***URGENT: SERVICE SHUTDOWN NOTICE***
Due to your failure to comply with our email
Rules and Regulations, your email account has been
temporarily suspended for 24 hours unless we are contacted regarding
this situation.
You must read the attached document for further
instructions. Failure to comply will result in termination of your
account.
Regards,
Net Operator
***URGENT: SERVICE SHUTDOWN NOTICE***
***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
You are currently unable to send emails.
This may be a billing issue.
Please call the billing center.
The # for the billing office is located in the attached
contact list for your convenience.
***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
Hello,
The previous email you sent has been recognized as spam.
This means your email was not delivered to your friend or client.
You must open the attached file to receive more information.
***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
Hello,
What version of windows you are using?
This last document I received from you came out weird.
Please see the attached word file and resend the file to me.
Many thanks,
User
Hello,
My PC crashed while I was sending that last email.
I have re-attached the document of yours that I discovered.
Please read attached document and respond ASAP.
Sincerely,
User
Hello,
Your email was sent in an INVALID format.
To verify this email was sent from you,
simply open the attached email (.eml) file
and click yes in the sender options box.
Thank You,
User
Hello,
Your email was received.
YOUR REPLY IS URGENT!
Please view the attached text file for instructions.
Regards,
User
Hello,
I was in a hurry and I forgot to attach an important
document. Please see attached.
Best Regards,
User
Hello,
I resent this email as attachment because
it was previously blocked by your email filters.
Please read the attachment and respond.
Thanks,User
Hello,
Sorry, I forgot to attach the new contact information.
Please view the attached (.pdf) contact sheet.
Sincerely,
User
信的附件名可能为如下名称之一(这些文件在发送时会在%System%目录生成):
backup.zip
admin.zip
archivator.zip
about.zip
readme.zip
help.zip
photos.zip
payment.zip
archives.zip
manual.zip
inbox.zip
outbox.zip
save.zip
rar.zip
zip.zip
ataches.zip
documentation.zip
docs.zip
backup.doc .exe
admin.doc .exe
archivator.doc .exe
about.doc .exe
readme.doc .exe
help.doc .exe
photos.doc .exe
payment.doc .exe
archives.doc .exe
manual.doc .exe
inbox.doc .exe
outbox.doc .exe
save.doc .exe
rar.doc .exe
zip.doc .exe
ataches.doc .exe
documentation.doc .exe
docs.doc .exe
sysboot.doc .exe