恶鹰变种N

王朝百科·作者佚名 2010-01-08

宽屏版字体: 小|中|大|超大

病毒信息：

病毒名称: Worm.Beagle.N

中文名称: 恶鹰变种N

威胁级别: 3A

病毒别名: Worm.BBeagle.P [瑞星]

PE_BAGLE.P [Trend]

W32/Bagle.p@MM [McAfee]

W32.Beagle.M@mm [Symantec]

病毒类型: 蠕虫、后门

受影响系统:Win9x/WinMe/WinNT/Win2000/WinXP/Win2003

技术特点：

· 传染条件：利用邮件高速传播；

· 发作现象：病毒使用以<附图>图标，以迷惑电脑使用者点击。

· 系统修改：

A、将病毒自身拷贝到

%System%winupd.exe: 该蠕虫的拷贝.

%System%winupd.exeopen: 该蠕虫的拷贝

%System%winupd.exeopenopen: 也是该蠕虫的一个拷贝，也有可能是包含该蠕虫的加密.zip或.rar文件

%System%winupd.exeopenopenopen: 一个.bmp文件，包含上面.zip或.rar文件的解密密码，只有当winupd.exeopenopen为一个密码保护.zip或.rar文件时才会创建。

B、在注册表的主键:

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun

中添加如下键值:

"winupd.exe"="%System%winupd.exe"

以便该病毒在每次重启 Windows 时运行。

在注册表主键：

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

中删除如下键值:

9XHtProtect

Antivirus

HtProtect

ICQ Net

ICQNet

My AV

Special Firewall Service

Tiny AV

Zone Labs Client Ex

service

C、在TCP端口2556 开一个后门。

D、该病毒为变形病毒，并且会感染系统中的.exe文件

E、尝试关闭以下程序进程：

AGENTSVR.EXE

ANTI-TROJAN.EXE

ANTIVIRUS.EXE

ANTS.EXE

APIMONITOR.EXE

APLICA32.EXE

APVXDWIN.EXE

ATCON.EXE

ATGUARD.EXE

ATRO55EN.EXE

ATUPDATER.EXE

ATWATCH.EXE

AUPDATE.EXE

AUTODOWN.EXE

AUTOTRACE.EXE

AUTOUPDATE.EXE

AVCONSOL.EXE

AVGSERV9.EXE

AVLTMAIN.EXE

AVPUPD.EXE

AVSYNMGR.EXE

AVWUPD32.EXE

AVXQUAR.EXE

AVprotect9x.exe

Au.exe

BD_PROFESSIONAL.EXE

BIDEF.EXE

BIDSERVER.EXE

BIPCP.EXE

BIPCPEVALSETUP.EXE

BISP.EXE

BLACKD.EXE

BLACKICE.EXE

BOOTWARN.EXE

BORG2.EXE

BS120.EXE

CDP.EXE

CFGWIZ.EXE

CFIADMIN.EXE

CFIAUDIT.EXE

CFINET.EXE

CFINET32.EXE

CLEAN.EXE

CLEANER.EXE

CLEANER3.EXE

CLEANPC.EXE

CMGRDIAN.EXE

CMON016.EXE

CPD.EXE

CPF9X206.EXE

CPFNT206.EXE

CV.EXE

CWNB181.EXE

CWNTDWMO.EXE

D3dupdate.exe

DEFWATCH.EXE

DEPUTY.EXE

DPF.EXE

DPFSETUP.EXE

DRWATSON.EXE

DRWEBUPW.EXE

ENT.EXE

ESCANH95.EXE

ESCANHNT.EXE

ESCANV95.EXE

EXANTIVIRUS-CNET.EXE

FAST.EXE

FIREWALL.EXE

FLOWPROTECTOR.EXE

FP-WIN_TRIAL.EXE

FRW.EXE

FSAV.EXE

FSAV530STBYB.EXE

FSAV530WTBYB.EXE

FSAV95.EXE

GBMENU.EXE

GBPOLL.EXE

GUARD.EXE

HACKTRACERSETUP.EXE

HTLOG.EXE

HWPE.EXE

IAMAPP.EXE

IAMSERV.EXE

ICLOAD95.EXE

ICLOADNT.EXE

ICMON.EXE

ICSSUPPNT.EXE

ICSUPP95.EXE

ICSUPPNT.EXE

IFW2000.EXE

IPARMOR.EXE

IRIS.EXE

JAMMER.EXE

KAVLITE40ENG.EXE

KAVPERS40ENG.EXE

KERIO-PF-213-EN-WIN.EXE

KERIO-WRL-421-EN-WIN.EXE

KERIO-WRP-421-EN-WIN.EXE

KILLPROCESSSETUP161.EXE

LDPRO.EXE

LOCALNET.EXE

LOCKDOWN.EXE

LOCKDOWN2000.EXE

LSETUP.EXE

LUALL.EXE

LUCOMSERVER.EXE

LUINIT.EXE

MCAGENT.EXE

MCUPDATE.EXE

MFW2EN.EXE

MFWENG3.02D30.EXE

MGUI.EXE

MINILOG.EXE

MOOLIVE.EXE

MRFLUX.EXE

MSCONFIG.EXE

MSINFO32.EXE

MSSMMC32.EXE

MU0311AD.EXE

NAV80TRY.EXE

NAVAPW32.EXE

NAVDX.EXE

NAVSTUB.EXE

NAVW32.EXE

NC2000.EXE

NCINST4.EXE

NDD32.EXE

NEOMONITOR.EXE

NETARMOR.EXE

NETINFO.EXE

NETMON.EXE

NETSCANPRO.EXE

NETSPYHUNTER-1.2.EXE

NETSTAT.EXE

NISSERV.EXE

NISUM.EXE

NMAIN.EXE

NORTON_INTERNET_SECU_3.0_407.EXE

NPF40_TW_98_NT_ME_2K.EXE

NPFMESSENGER.EXE

NPROTECT.EXE

NSCHED32.EXE

NTVDM.EXE

NUPGRADE.EXE

NVARCH16.EXE

NWINST4.EXE

NWTOOL16.EXE

OSTRONET.EXE

OUTPOST.EXE

OUTPOSTINSTALL.EXE

OUTPOSTPROINSTALL.EXE

PADMIN.EXE

PANIXK.EXE

PAVPROXY.EXE

PCC2002S902.EXE

PCC2K_76_1436.EXE

PCCIOMON.EXE

PCDSETUP.EXE

PCFWALLICON.EXE

PCIP10117_0.EXE

PDSETUP.EXE

PERISCOPE.EXE

PERSFW.EXE

PF2.EXE

PFWADMIN.EXE

PINGSCAN.EXE

PLATIN.EXE

POPROXY.EXE

POPSCAN.EXE

PORTDETECTIVE.EXE

PPINUPDT.EXE

PPTBC.EXE

PPVSTOP.EXE

PROCEXPLORERV1.0.EXE

PROPORT.EXE

PROTECTX.EXE

PSPF.EXE

PURGE.EXE

PVIEW95.EXE

QCONSOLE.EXE

QSERVER.EXE

RAV8WIN32ENG.EXE

REGEDIT.EXE

REGEDT32.EXE

RESCUE.EXE

RESCUE32.EXE

RRGUARD.EXE

RSHELL.EXE

RTVSCN95.EXE

RULAUNCH.EXE

SAFEWEB.EXE

SBSERV.EXE

SD.EXE

SETUPVAMEEVAL.EXE

SETUP_FLOWPROTECTOR_US.EXE

SFC.EXE

SGSSFW32.EXE

SH.EXE

SHELLSPYINSTALL.EXE

SHN.EXE

SMC.EXE

SOFI.EXE

SPF.EXE

SPHINX.EXE

SPYXX.EXE

SS3EDIT.EXE

ST2.EXE

SUPFTRL.EXE

SUPPORTER5.EXE

SYMPROXYSVC.EXE

SYSEDIT.EXE

TASKMON.EXE

TAUMON.EXE

TAUSCAN.EXE

TC.EXE

TCA.EXE

TCM.EXE

TDS-3.EXE

TDS2-98.EXE

TDS2-NT.EXE

TFAK5.EXE

TGBOB.EXE

TITANIN.EXE

TITANINXP.EXE

TRACERT.EXE

TRJSCAN.EXE

TRJSETUP.EXE

TROJANTRAP3.EXE

UNDOBOOT.EXE

UPDATE.EXE

VBCMSERV.EXE

VBCONS.EXE

VBUST.EXE

VBWIN9X.EXE

VBWINNTW.EXE

VCSETUP.EXE

VFSETUP.EXE

VIRUSMDPERSONALFIREWALL.EXE

VNLAN300.EXE

VNPC3000.EXE

VPC42.EXE

VPFW30S.EXE

VPTRAY.EXE

VSCENU6.02D30.EXE

VSECOMR.EXE

VSHWIN32.EXE

VSISETUP.EXE

VSMAIN.EXE

VSMON.EXE

VSSTAT.EXE

VSWIN9XE.EXE

VSWINNTSE.EXE

VSWINPERSE.EXE

W32DSM89.EXE

W9X.EXE

WATCHDOG.EXE

WEBSCANX.EXE

WGFE95.EXE

WHOSWATCHINGME.EXE

WINRECON.EXE

WNT.EXE

WRADMIN.EXE

WRCTRL.EXE

WSBGATE.EXE

WYVERNWORKSFIREWALL.EXE

XPF202EN.EXE

ZAPRO.EXE

ZAPSETUP3001.EXE

ZATUTOR.EXE

ZAUINST.EXE

ZONALM2601.EXE

ZONEALARM.EXE

F、在本地磁盘扫描具有以下扩展名的文件，以收集邮件地址。

adb

asp

cfg

cgi

dbx

dhtm

eml

htm

jsp

mbx

mdx

mht

mmf

msg

nch

ods

oft

php

sht

shtm

stm

tbb

txt

uin

wab

wsh

xls

xml

G、用自带的smtp引擎发送邮件。

发件人从以下字符串中选择一个：

management@<接收者的Email地址的域>

administration@<接收者的Email地址的域>

staff@<接收者的Email地址的域>

antivirus@<接收者的Email地址的域>

antispam@<接收者的Email地址的域>

noreply@<接收者的Email地址的域>

support@<接收者的Email地址的域>

邮件主题从以下段落中选择一个：

Account notify

E-mail account disabling warning.

E-mail account security warning.

E-mail technical support message.

E-mail technical support warning.

E-mail warning

Email account utilization warning.

Email report

Encrypted document

Fax Message Received

Forum notify

Hidden message

Important notify

Important notify about your e-mail account.

Incoming message

Notify about using the e-mail account.

Notify about your e-mail account utilization.

Notify from e-mail technical support.

Protected message

RE: Protected message

RE: Text message

Re: Document

Re: Hello

Re: Hi

Re: Incoming Fax

Re: Incoming Message

Re: Msg reply

Re: Thank you!

Re: Thanks :)

Re: Yahoo!

Request response

Site changes

邮件内容从以下段落中选择一个：

Dear user of ,

Dear user of "" mailing server,

Dear user of "" mailing domain,

Dear user of gateway e-mail server gateway,

Dear user of e-mail server "",

Hello user of e-mail server,

Dear user of "" mailing system,

Dear user, the management of mailing system wants to let you know that,

下文为以下段落中选择一个：

Your e-mail account has been temporary disabled because of unauthorized access.

Our main mailing server will be temporary unavaible for next two days,

to continue receiving mail in these days you have to configure our free

auto-forwarding service.

Your e-mail account will be disabled because of improper using in next

three days, if you are still wishing to use it, please, resign your

account information.

We warn you about some attacks on your e-mail account. Your computer may

contain viruses, in order to keep your computer and e-mail account safe,

please, follow the instructions.

Our antivirus software has detected a large ammount of viruses outgoing

from your email account, you may use our free anti-virus tool to clean up

your computer software.

Some of our clients complained about the spam (negative e-mail content)

outgoing from your e-mail account. Probably, you have been infected by

a proxy-relay trojan server. In order to keep your computer safe,

follow the instructions.

下文为以下段落中选择一个：

For more information see the attached file.

Further details can be obtained from attached file.

Advanced details can be found in attached file.

For details see the attach.

For details see the attached file.

For further details see the attach.

Please, read the attach for further details.

Pay attention on attached file.Read the attach.

Your file is attached.

More info in attach

See attach.

Follow the wabbit.

Find the white rabbit.

Please, have a look at the attached file.

See the attached file for details.

Message is in attach

Here is the file.

下文为：

The team

http:/ / target=_blank>www.

下文为以下字符串中的一个：

The Management,

Sincerely,

Best wishes,

Have a good day,

Cheers,

Kind regards,

邮件附件名从以下字符串中选择一个:

Attach

Details

Document

Encrypted

Gift

Info

Information

Message

MoreInfo

Readme

Text

TextDocument

details

first_part

pub_document

text_document

如果附件为.zip或.rar文件，则还将从以下字符串中选择一个填入下文：

For security reasons attached file is password protected. The password is <含有密码的图片>

For security purposes the attached file is password protected. Password -- <含有密码的图片>

Note: Use password <含有密码的图片> to open archive.

Attached file is protected with the password for security reasons. Password is <含有密码的图片>

In order to read the attach you have to use the following password: <含有密码的图片>

Archive password: <含有密码的图片>

Password - <含有密码的图片>

Password: <含有密码的图片>

H、该蠕虫将不会往含以下字段的邮件地址发送邮件：

@avp.

@foo

@hotmail.com

@iana

@messagelab

@microsoft

@msn

abuse

admin

anyone@

bsd

bugs@

cafee

certific

contract@

f-secur

feste

free-av

gold-certs@

google

help@

icrosoft

info@

kasp

linux

listserv

local

nobody@

noone@

noreply

ntivi

panda

pgp

postmaster@

rating@

root@

samples

sopho

spam

support

unix

winrar

winzip

I、该病毒为了可以在文件共享网络传播，如：KaZaA 和 iMesh, 它查找含有字符串"shar"的共享文件夹将其自己拷贝进去，文件名在以下字符串中选择一个：

ACDSee 9.exe

Adobe Photoshop 9 full.exe

Ahead Nero 7.exe

Matrix 3 Revolution English Subtitles.exe

Microsoft Office 2003 Crack, Working!.exe

Microsoft Office XP working Crack, Keygen.exe

Microsoft Windows XP, WinXP Crack, working Keygen.exe

Opera 8 New!.exe

Porno Screensaver.scr

Porno pics arhive, xxx.exe

Porno, sex, oral, anal cool, awesome!!.exe

Serials.txt.exe

WinAmp 5 Pro Keygen Crack Update.exe

WinAmp 6 New!.exe

Windown Longhorn Beta Leak.exe

Windows Sourcecode update.doc.exe

XXX hardcore images.exe

解决方案:

· 金山毒霸已经于3月18日对该病毒进行了应急处理，请升级最新版可完全查该病毒；

· 请一定留意收到的邮件，如果有附件，请不要打开附件，更不要执行附件中的可执行程序，注

意病毒程序伪装的图标，不要轻信图标为“电子表格、文本文件、文件夹”的附件；