Worm.Beagle.N

病毒別名：Worm.BBeagle.P [瑞星] PE_BAGLE.P [Trend] W32/Bagle.p@MM [McAfee] W32.Beagle.M@mm [Symantec]

處理時間：

威脅級別：★★★

中文名稱：“惡鷹”變種N

病毒類型：蠕蟲

影響系統：Win9x/WinMe/WinNT/Win2000/WinXP/Win2003

病毒行為：

編寫工具：

傳染條件：

發作條件：

系統修改：

A、將病毒自身拷貝到：

%System%winupd.exe: 該蠕蟲的拷貝.

%System%winupd.exeopen: 該蠕蟲的拷貝

%System%winupd.exeopenopen: 也是該蠕蟲的一個拷貝，也有可能是包含該蠕蟲的加密.zip或.rar檔案

%System%winupd.exeopenopenopen: 一個.bmp檔案，包含上面.zip或.rar檔案的解密密碼，只有當winupd.exeopenopen為一個密碼保護.zip或.rar檔案時才會創建。

B、在註冊表的主鍵：

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun

中添加如下鍵值：

"winupd.exe"="%System%winupd.exe"

以便該病毒在每次重啟 Windows 時運行。

在註冊表主鍵：

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

中刪除如下鍵值：

9XHtProtect

Antivirus

HtProtect

ICQ Net

ICQNet

My AV

Special Firewall Service

Tiny AV

Zone Labs Client Ex

service

C、在TCP連線埠2556 開一個後門。

D、該病毒為變形病毒，並且會感染系統中的.exe檔案

發作現象：

A、嘗試關閉以下程式進程：

AGENTSVR.EXE

ANTI-TROJAN.EXE

ANTIⅥRUS.EXE

ANTS.EXE

APIMONITOR.EXE

APLICA32.EXE

APVXDWIN.EXE

ATCON.EXE

ATGUARD.EXE

ATRO55EN.EXE

ATUPDATER.EXE

ATWATCH.EXE

AUPDATE.EXE

AUTODOWN.EXE

AUTOTRACE.EXE

AUTOUPDATE.EXE

AVCONSOL.EXE

AVGSERV9.EXE

AVLTMAIN.EXE

AVPUPD.EXE

AVSYNMGR.EXE

AVWUPD32.EXE

AVXQUAR.EXE

AVprotect9x.exe

Au.exe

BD_PROFESSIONAL.EXE

BIDEF.EXE

BIDSERVER.EXE

BIPCP.EXE

BIPCPEVALSETUP.EXE

BISP.EXE

BLACKD.EXE

BLACKICE.EXE

BOOTWARN.EXE

BORG2.EXE

BS120.EXE

CDP.EXE

CFGWIZ.EXE

CFIADMIN.EXE

CFIAUDIT.EXE

CFINET.EXE

CFINET32.EXE

CLEAN.EXE

CLEANER.EXE

CLEANER3.EXE

CLEANPC.EXE

CMGRDIAN.EXE

CMON0EXE

CPD.EXE

CPF9X206.EXE

CPFNT206.EXE

CV.EXE

CWNB181.EXE

CWNTDWMO.EXE

D3dupdate.exe

DEFWATCH.EXE

DEPUTY.EXE

DPF.EXE

DPFSETUP.EXE

DRWATSON.EXE

DRWEBUPW.EXE

ENT.EXE

ESCANH95.EXE

ESCANHNT.EXE

ESCANV95.EXE

EXANTIⅥRUS-CNET.EXE

FAST.EXE

FIREWALL.EXE

FLOWPROTECTOR.EXE

FP-WIN_TRIAL.EXE

FRW.EXE

FSAV.EXE

FSAV530STBYB.EXE

FSAV530WTBYB.EXE

FSAV95.EXE

GBMENU.EXE

GBPOLL.EXE

GUARD.EXE

HACKTRACERSETUP.EXE

HTLOG.EXE

HWPE.EXE

IAMAPP.EXE

IAMSERV.EXE

ICLOAD95.EXE

ICLOADNT.EXE

ICMON.EXE

ICSSUPPNT.EXE

ICSUPP95.EXE

ICSUPPNT.EXE

IFW2000.EXE

IPARMOR.EXE

IRIS.EXE

JAMMER.EXE

KAVLITE40ENG.EXE

KAVPERS40ENG.EXE

KERIO-PF-213-EN-WIN.EXE

KERIO-WRL-421-EN-WIN.EXE

KERIO-WRP-421-EN-WIN.EXE

KILLPROCESSSETUP161.EXE

LDPRO.EXE

LOCALNET.EXE

LOCKDOWN.EXE

LOCKDOWN2000.EXE

LSETUP.EXE

LUALL.EXE

LUCOMSERVER.EXE

LUINIT.EXE

MCAGENT.EXE

MCUPDATE.EXE

MFW2EN.EXE

MFWENG3.02D30.EXE

MGUI.EXE

MINILOG.EXE

MOOLⅣE.EXE

MRFLUX.EXE

MSCONFIG.EXE

MSINFO32.EXE

MSSMMC32.EXE

MU0311AD.EXE

NAV80TRY.EXE

NAVAPW32.EXE

NAVDX.EXE

NAVSTUB.EXE

NAVW32.EXE

NC2000.EXE

NCINST4.EXE

NDD32.EXE

NEOMONITOR.EXE

NETARMOR.EXE

NETINFO.EXE

NETMON.EXE

NETSCANPRO.EXE

NETSPYHUNTER-1.2.EXE

NETSTAT.EXE

NISSERV.EXE

NISUM.EXE

NMAIN.EXE

NORTON_INTERNET_SECU_3.0_407.EXE

NPF40_TW_98_NT_ME_2K.EXE

NPFMESSENGER.EXE

NPROTECT.EXE

NSCHED32.EXE

NTVDM.EXE

NUPGRADE.EXE

NVARCHEXE

NWINST4.EXE

NWTOOLEXE

OSTRONET.EXE

OUTPOST.EXE

OUTPOSTINSTALL.EXE

OUTPOSTPROINSTALL.EXE

PADMIN.EXE

PANⅨK.EXE

PAVPROXY.EXE

PCC2002S902.EXE

PCC2K_76_1436.EXE

PCCIOMON.EXE

PCDSETUP.EXE

PCFWALLICON.EXE

PCIP10117_0.EXE

PDSETUP.EXE

PERISCOPE.EXE

PERSFW.EXE

PF2.EXE

PFWADMIN.EXE

PINGSCAN.EXE

PLATIN.EXE

POPROXY.EXE

POPSCAN.EXE

PORTDETECTⅣE.EXE

PPINUPDT.EXE

PPTBC.EXE

PPVSTOP.EXE

PROCEXPLORERV1.0.EXE

PROPORT.EXE

PROTECTX.EXE

PSPF.EXE

PURGE.EXE

PⅥEW95.EXE

QCONSOLE.EXE

QSERVER.EXE

RAV8WIN32ENG.EXE

REGEDIT.EXE

REGEDT32.EXE

RESCUE.EXE

RESCUE32.EXE

RRGUARD.EXE

RSHELL.EXE

RTVSCN95.EXE

RULAUNCH.EXE

SAFEWEB.EXE

SBSERV.EXE

SD.EXE

SETUPVAMEEVAL.EXE

SETUP_FLOWPROTECTOR_US.EXE

SFC.EXE

SGSSFW32.EXE

SH.EXE

SHELLSPYINSTALL.EXE

SHN.EXE

SMC.EXE

SOFI.EXE

SPF.EXE

SPHINX.EXE

SPYXX.EXE

SS3EDIT.EXE

ST2.EXE

SUPFTRL.EXE

SUPPORTER5.EXE

SYMPROXYSVC.EXE

SYSEDIT.EXE

TASKMON.EXE

TAUMON.EXE

TAUSCAN.EXE

TC.EXE

TCA.EXE

TCM.EXE

TDS-3.EXE

TDS2-98.EXE

TDS2-NT.EXE

TFAK5.EXE

TGBOB.EXE

TITANIN.EXE

TITANINXP.EXE

TRACERT.EXE

TRJSCAN.EXE

TRJSETUP.EXE

TROJANTRAP3.EXE

UNDOBOOT.EXE

UPDATE.EXE

VBCMSERV.EXE

VBCONS.EXE

VBUST.EXE

VBWIN9X.EXE

VBWINNTW.EXE

VCSETUP.EXE

VFSETUP.EXE

ⅥRUSMDPERSONALFIREWALL.EXE

VNLAN300.EXE

VNPC3000.EXE

VPC42.EXE

VPFW30S.EXE

VPTRAY.EXE

VSCENU6.02D30.EXE

VSECOMR.EXE

VSHWIN32.EXE

VSISETUP.EXE

VSMAIN.EXE

VSMON.EXE

VSSTAT.EXE

VSWIN9XE.EXE

VSWINNTSE.EXE

VSWINPERSE.EXE

W32DSM89.EXE

W9X.EXE

WATCHDOG.EXE

WEBSCANX.EXE

WGFE95.EXE

WHOSWATCHINGME.EXE

WINRECON.EXE

WNT.EXE

WRADMIN.EXE

WRCTRL.EXE

WSBGATE.EXE

WYVERNWORKSFIREWALL.EXE

XPF202EN.EXE

ZAPRO.EXE

ZAPSETUP3001.EXE

ZATUTOR.EXE

ZAUINST.EXE

ZONALM2601.EXE

ZONEALARM.EXE

B、在本地磁碟掃描具有以下擴展名的檔案，以收集郵件地址。

adb

asp

cfg

cgi

dbx

dhtm

eml

htm

jsp

mbx

mdx

mht

mmf

msg

nch

ods

oft

php

pl

sht

shtm

stm

tbb

txt

uin

wab

wsh

xls

xml

C、用自帶的smtp引擎傳送郵件。

發件人從以下字元串中選擇一個：

management@<；接收者的Email地址的域>

administration@<；接收者的Email地址的域>

staff@<；接收者的Email地址的域>

antivirus@<；接收者的Email地址的域>

antispam@<；接收者的Email地址的域>

noreply@<；接收者的Email地址的域>

support@<；接收者的Email地址的域>

郵件主題從以下段落中選擇一個：

Account notify

E-mail account disabling warning.

E-mail account security warning.

E-mail technical support message.

E-mail technical support warning.

E-mail warning

Email account utilization warning.

Email report

Encrypted document

Fax Message Received

Forum notify

Hidden message

Important notify

Important notify about your e-mail account.

Incoming message

Notify about using the e-mail account.

Notify about your e-mail account utilization.

Notify from e-mail technical support.

Protected message

RE: Protected message

RE: Text message

Re: Document

Re: Hello

Re: Hi

Re: Incoming Fax

Re: Incoming Message

Re: Msg reply

Re: Thank you!

Re: Thanks :)

Re: Yahoo!

Request response

Site changes

郵件內容從以下段落中選擇一個：

Dear user of <；接收者的Email地址的域>,

Dear user of "<；接收者的Email地址的域>" mailing server,

Dear user of "<；接收者的Email地址的域>" mailing domain,

Dear user of <；接收者的Email地址的域> gateway e-mail server gateway,

Dear user of e-mail server "<；接收者的Email地址的域>",

Hello user of <；接收者的Email地址的域> e-mail server,

Dear user of "<；接收者的Email地址的域>" mailing system,

Dear user,the management of <；接收者的Email地址的域> mailing system wants to let you know that,

下文為以下段落中選擇一個：

Your e-mail account has been temporary disabled because of unauthorized access.

Our main mailing server will be temporary unavaible for next two days,

to continue receiving mail in these days you have to configure our free

auto-forwarding service.

Your e-mail account will be disabled because of improper using in next

three days,if you are still wishing to use it,please,resign your

account information.

We warn you about some attacks on your e-mail account. Your computer may

contain viruses,in order to keep your computer and e-mail account safe,

please,follow the instructions.

Our antivirus software has detected a large ammount of viruses outgoing

from your email account,you may use our free anti-virus tool to clean up

your computer software.

Some of our clients complained about the spam (negative e-mail content)

outgoing from your e-mail account. Probably,you have been infected by

a proxy-relay trojan server. In order to keep your computer safe,

follow the instructions.

下文為以下段落中選擇一個：

For more information see the attached file.

Further details can be obtained from attached file.

Advanced details can be found in attached file.

For details see the attach.

For details see the attached file.

For further details see the attach.

Please,read the attach for further details.

Pay attention on attached file.Read the attach.

Your file is attached.

More info in attach

See attach.

Follow the wabbit.

Find the white rabbit.

Please,have a look at the attached file.

See the attached file for details.

Message is in attach

Here is the file.

下文為：

The team

http:/ /www.

下文為以下字元串中的一個：

The Management,

Sincerely,

Best wishes,

Have a good day,

Cheers,

Kind regards,

郵件附屬檔案名從以下字元串中選擇一個：

Attach

Details

Document

Encrypted

Gift

Info

Information

Message

MoreInfo

Readme

Text

TextDocument

details

first_part

pub_document

text_document

如果附屬檔案為.zip或.rar檔案，則還將從以下字元串中選擇一個填入正文：

For security reasons attached file is password protected. The password is <；含有密碼的圖片>

For security purposes the attached file is password protected. Password -- <；含有密碼的圖片>

Note: Use password <；含有密碼的圖片> to open archive.

Attached file is protected with the password for security reasons. Password is <；含有密碼的圖片>

In order to read the attach you have to use the following password: <；含有密碼的圖片>

Archive password: <；含有密碼的圖片>

Password - <；含有密碼的圖片>

Password: <；含有密碼的圖片>

D、該蠕蟲將不會往含以下欄位的郵件地址傳送郵件：

@avp.

@foo

@hotmail.com

@iana

@messagelab

@microsoft

@msn

abuse

admin

anyone@

bsd

bugs@

cafee

certific

contract@

f-secur

feste

free-av

gold-certs@

google

help@

icrosoft

info@

kasp

linux

listserv

local

nobody@

noone@

noreply

ntivi

panda

pgp

postmaster@

rating@

root@

samples

sopho

spam

support

unix

winrar

winzip

E、該病毒為了可以在檔案共享網路傳播，如：KaZaA 和 iMesh，它查找含有字元串"shar"的已分享檔案夾將其自己拷貝進去，檔案名稱在以下字元串中選擇一個：

ACDSee 9.exe

Adobe Photoshop 9 full.exe

Ahead Nero 7.exe

Matrix 3 Revolution English Subtitles.exe

Microsoft Office 2003 Crack,Working!.exe

Microsoft Office XP working Crack,Keygen.exe

Microsoft Windows XP,WinXP Crack,working Keygen.exe

Opera 8 New!.exe

Porno Screensaver.scr

Porno pics arhive,xxx.exe

Porno,sex,oral,anal cool,awesome!!.exe

Serials.txt.exe

WinAmp 5 Pro Keygen Crack Update.exe

WinAmp 6 New!.exe

Windown Longhorn Beta Leak.exe

Windows Sourcecode update.doc.exe

XXX hardcore images.exe

特別說明：