Worm.Beagle.xk

病毒别名：

处理时间：2005-08-26

威胁级别：★★

中文名称：恶鹰变种xk

病毒类型：蠕虫

影响系统：Win 9x/ME,Win 2000/NT,Win XP,Win 2003

病毒行为:

该病毒通过邮件进行传播,并且利用pnp exploit (MS05-039)漏洞。病毒会屏蔽大量的安全软件网站,并从网上下载文件，并且会在受感染的机器的文件中搜索电子邮件地址，并向搜索到的地址发送邮件。通过发送各种软件的序列号来诱惑用户打开运行病毒程序。该病毒会向外发送大量的带毒邮件，严重影响到用户的安全。

1.首先通过尝试建立Breatle-X-Beagle的互斥变量名来确认系统中是否有其他恶鹰变种。

2.建立互斥变量，保持运行病毒的唯一性：

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D

_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

3.生成文件：

%system%winhost.exe

4.添加起始项，使病毒开机运行：

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

winhost.exe

5.删除注册表中的一下键的：

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

HKCUSoftwareMicrosoftWindowsCurrentVersionRun

以下键值：

winhost.exe

WINDOWS SYSTEM

csm Win Updates

WinDrg32

Wintbp.exe

Wintbpx.exe

wintnpx.exe

erthgdr

erthgdr2

6.修改Host文件,屏蔽大量安全网站：

127.0.0.1 www.ca.com

127.0.0.1 pandasoftware.com

127.0.0.1 www.nai.com

127.0.0.1 kaspersky.com

127.0.0.1 www.f-secure.com

127.0.0.1 download.mcafee.com

127.0.0.1 www.my-etrust.com

127.0.0.1 ca.com

127.0.0.1 www.kaspersky.com

127.0.0.1 www.sophos.com

127.0.0.1 mcafee.com

127.0.0.1 sophos.com

127.0.0.1 www.mcafee.com

127.0.0.1 symantec.com

127.0.0.1 www.pandasoftware.com

127.0.0.1 www.sarc.com

127.0.0.1 trendmicro.com

127.0.0.1 f-secure.com

127.0.0.1 liveupdate.symantec.com

127.0.0.1 us.mcafee.com

127.0.0.1 www.symantec.com

127.0.0.1 www.trendmicro.com

7.尝试链接下面的地址:

www.fbi.gov

www.sophos.com

8.从下面的网址下载病毒：

http://j0r.biz/proto.com

9.搜索用户计算机上的有效邮箱地址,向外面发送文件:

邮件的发送者通过一下组合:

域名为一下随机一个:

@msn

@microsoft

@messagelab

@iana

@foo

@avp

发送着为一下随机一个:

root@

rating@

postmaster@

pgp

panda

ntivi

norton

noreply

noone@

nobody@

news

local

listserv

linux

kasp

info@

microsoft

help@

google

gold-certs@

free-av

feste

f-secur

contract@

certific

cafee

bugs@

bsd

anyone@

admin

abuse

并且阻止向下面的域名发送:

@trendmicro.com

@sarc.com

@msn.com

@f-secure.com

@securityfocus.com

@security.com

@kaspersky.com

@symantec.com

@sophos.com

@yahoo.com

@mcafee.com

@microsoft.com

@ca.com

@aol.com

邮件内容为一下随机一段:

Here is the file.

Message is in attach

See the attached file for details.

Pay attention at the attach.

Check attached file.

Check attached file for details.

Attached file tells everything.

Attach tells everything.

Please, read the document.

Your document is attached.

Please, have a look at the attached file.

See attach.

More info is in attach

Try this.

Your file is attached.

Read the attach.

Encrypted document

邮件的标题为：

Re: Hi Site changes Forum notify

Re: Protected message Protected message Fax Message Update Changes.. Notification

Re: Message Notify

Re: Incoming Msg

Re: Incoming Message Incoming message

Re: Document

Re: Text message

Re: Thanks :)

Re: Thank you!

Re: Yahoo!

Re: Re: Hello

Re: Msg reply

附件为病毒本身,命名为一下随机一个:

XXX hardcore images.exe

Windows Sourcecode update.doc .exe

Windown Longhorn Beta Leak.exe

WinAmp 6 New!.exe

Serials.txt .exe

Porno, sex, oral, anal cool, awesome!!.exe

Porno pics arhive, xxx.exe

Porno Screensaver.scr

New patch.exe

New document.doc .exe

Microsoft Windows XP, WinXP Crack, working Keygen.exe

Microsoft Office XP working Crack, Keygen.exe

Microsoft Office 2003 Crack, Working!.exe

Kaspersky Antivirus 5.0.exe

Ahead Nero 7.exe

10.病毒中带有以下的信息：

如果你想抓住zotob的作者入狱，我可以给你提供相关的信息.

If you want zotob author for a crime i can tell you his email, information about his country and etc so you can arrest him easily。