基本介紹
- 中文名:“惡鷹變種AT”(Worm.Beagle.at)
- 病毒長度:17924
- 威脅級別:三級
- 病毒類型:蠕蟲
病毒概說,病毒的分析報告,病毒信息,技術特點,解決方案,
病毒概說
金山毒霸反病毒實驗室緊急處理了一個傳播較為廣泛的惡鷹家族成員,命名為:“惡鷹變種AT”(Worm.Beagle.at),並緊急升級了病毒庫。該變種已有部份用戶不慎感染,已在網際網路製造大量垃圾郵件,請廣大網路用戶提高警惕。
金山毒霸對該病毒已經做了緊急處理,請用戶及時升級毒霸到2004年10月29日的最新病毒庫。
病毒的分析報告
病毒信息
病毒名稱:Worm.Beagle.at
中文名稱: 惡鷹變種at
病毒別名: I-Worm.Bagle.at[AVP]
受影響系統: WinNT/Win2000/WinXP/Windows2003
發現時間:2004年10月29日
技術特點
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
2.在被感染的機器上創建以下檔案:
%System%\bawindo.exe
%System%\bawindo.exeopen
%System%\bawindo.exeopenopen
%System%\re_file.exe
3.在註冊表HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run中
增加"wingo"="%System%\wingo.exe"來確保自身能隨計算機啟動
4.從HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
刪除包含以下字元串的鍵值:
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
5.在包含"shar"字元串的目錄下創建檔案,檔案名稱可能為下列字元:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
6.搜尋以下列字元串為擴展名的檔案來獲得Email地址,並用自帶的SMTP引擎傳送帶毒郵件
.adb .asp .cfg .cgi .dbx .dhtm .eml .htm .jsp .mbx .mdx .mht .mmf .msg .nch .ods oft .php .pl .sht .shtm .stm .tbb .txt .uin .wab .wsh .xls .xml
發件人:偽造的
主題:
Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi
正文:
:)
:))
附屬檔案:
檔案名稱可能為:
Price
price
Joke
擴展名可能為:
.com/.scr/.cpl
@avp.
@foo
@hotmail
@iana
@messagelab
@microsoft
@msn
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip
9.嘗試從下列網站下載檔案
www.bottombouncer.com
www.bottombouncer.com
www.anthonyflanagan.com
www.bradster.com
www.traverse.com
www.ims-i.com
www.realgps.com
www.aviation-center.de
www.gci-bln.de
www.pankration.com
www.jansenboiler.com
www.corpsite.com
www.everett.wednet.edu
www.onepositiveplace.org
www.raecoinc.com
www.wwwebad.com
www.corpsite.com
www.wwwebmaster.com
www.wwwebad.com
www.dragcar.com
www.wwwebad.com
www.oohlala-kirkland.com
www.calderwoodinn.com
www.buddyboymusic.com
www.smacgreetings.com
www.tkd2xcell.com
www.curtmarsh.com
www.dontbeaweekendparent.com
www.soloconsulting.com
www.lasermach.com
www.generationnow.net
www.flashcorp.com
www.kencorbett.com
www.FritoPie.NET
www.leonhendrix.com
www.transportation.gov.bh
www.transportation.gov.bh
www.jhaforpresident.7p.com
www.DarrkSydebaby.com
www.cntv.info
www.sugardas.lt
www.adhdtests.com
www.argontech.net
www.customloyal.com
www.ohiolimo.com
www.topko.sk
www.alupass.lu
www.sigi.lu
www.redlightpictures.com
www.irinaswelt.de
www.bueroservice-it.de
www.kranenberg.de
www.kranenberg.de
www.the-fabulous-lions.de
www.the-fabulous-lions.de
www.mongolische-renner.de
www.mongolische-renner.de
www.capri-frames.de
www.capri-frames.de
www.aimcenter.net
www.boneheadmusic.com
www.fludir.is
www.sljinc.com
www.tivogoddess.com
www.fcpages.com
www.andara.com
www.freeservers.com
www.programmierung20d 0a0.de
www.asianfestival.nl
www.aviation-center.de
www.gci-bln.de
www.mass-i.kiev.ua
www.jasnet.pl
www.atlantisteste.hpg.com.br
www.fludir.is
www.rieraquadros.com.br
www.metal.pl
www.handsforhealth.com
www.angelartsanctuary.com
www.firstnightoceancounty.org
www.chinasenfa.com
www.chinasenfa.com
www.ulpiano.org
www.gamp.pl
www.vikingpc.pl
www.woundedshepherds.com
www.cpc.adv.br
www.velocityprint.com
www.esperanzaparalafamilia.com
www.celula.com.mx
www.mexis.com
www.wecompete.com
www.vbw.info
www.gfn.org
www.aegee.org
www.deadrobot.com
www.cscliberec.cz
www.ecofotos.com.br
www.amanit.ru
www.bga-gsm.ru
www.innnewport.com
www.knicks.nl
www.srg-neuburg.de
www.mepmh.de
www.mepbisu.de
www.kradtraining.de
www.polizeimotorrad.de
www.sea.bz.it
www.uslungiarue.it
www.gcnet.ru
www.aimcenter.net
www.vandermost.de
www.vandermost.de
www.szantomierz.art.pl
www.immonaut.sk
www.eurostavba.sk
www.spadochron.pl
www.pyrlandia-boogie.pl
www.kps4parents.com
www.pipni.cz
www.selu.edu
www.travelchronic.de
www.fleigutaetscher.ch
www.irakli.org
www.oboe-online.com
www.oboe-online.com
www.pe-sh.com
www.idb-group.net
www.ceskyhosting.cz
www.ceskyhosting.cz
www.hartacorporation.com
www.glass.la
www.glass.la
www.24-7-transportation.com
www.fepese.ufsc.br
www.ellarouge.com.au
www.bbsh.org
www.boneheadmusic.com
www.sljinc.com
www.tivogoddess.com
www.fcpages.com
www.szantomierz.art.pl
www.elenalazar.com
www.ssmifc.ca
www.reliance-yachts.com
www.worest.com.ar
www.kps4parents.com
www.coolfreepages.com
www.scanex-medical.fi
www.jimvann.com
www.orari.net
www.himpsi.org
www.mtfdesign.com
www.jldr.ca
www.relocationflorida.com
www.rentalstation.com
www.approved1stmortgage.com
www.velezcourtesymanagement.com
www.sunassetholdings.com
www.compsolutionstore.com
www.uhcc.com
www.justrepublicans.com
www.pfadfinder-leobersdorf.com
www.featech.com
www.vinirforge.com
www.magicbottle.com.tw
www.giantrevenue.com
www.couponcapital.net
www.crystalrose.ca
www.crystalrose.ca
www.crystalrose.ca
www.crystalrose.ca
解決方案
C、開啟金山毒霸病毒防火牆可防止病毒入侵。
安全小貼士
A、養成良好的安全習慣。只有不輕易打開即時通訊工具傳來的網址、不隨便打開來歷不明的郵件
及附屬檔案、不到不安全的網站下載可執行程式、不要執行從 Internet 下載後未經防毒處理的軟
件等,才能確保您系統的安全。
、震盪波等,都是利用了系統漏洞,所以請您定期到微軟網站下載最新的安全補丁,及時補住
