| 订阅 | 在线投稿
分享
 
 
 

Worm.Beagle.fi

2008-08-14 22:50:10  编辑来源:互联网  宽屏版  评论

病毒名称(中文):

病毒别名:

威胁级别:

★☆☆☆☆

病毒类型:

蠕虫病毒

病毒长度:

69842

影响系统:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

这是一种通过邮件传播的蠕虫病毒,该病毒搜索被感染机器上的邮件地址把自己的拷贝发送出去,并且会尝试下载新病毒变种。该病毒并且会生成驱动保护病毒,删除大量的注册表项,使被感染的机器无法进入安全模式。

1。生成文件:

%ApplicationData%\hidn\hidn.exe

%ApplicationData%\hidn\m_hook.sys

C:\error.gif

2.当病毒第一次运行的时候会生成一下键值:

HKCU\Software\FirstRuxzx

FirstRun

3.起始项里面添加以下内容:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

drv_st_key

4.尝试连接smtp.google.com判定网络是否连通。

5.尝试下载以下文件:

http://www.titanmotors.com/images/1/eml.php

http://veranmaisala.com/1/eml.php

http://wklight.nazwa.pl/1/eml.php

http://yongsan24.co.kr/1/eml.php

http://accesible.cl/1/eml.php

http://hotelesalba.com/1/eml.php

http://amdlady.com/1/eml.php

http://inca.dnetsolution.net/1/eml.php

http://www.auraura.com/1/eml.php

http://avataresgratis.com/1/eml.php

http://beyoglu.com.tr/1/eml.php

http://brandshock.com/1/eml.php

http://www.buydigital.co.kr/1/eml.php

http://camaramafra.sc.gov.br/1/eml.php

http://camposequipamentos.com.br/1/eml.php

http://cbradio.sos.pl/1/eml.php

http://c-d-c.com.au/1/eml.php

http://www.klanpl.com/1/eml.php

http://coparefrescos.stantonstreetgroup.com/1/eml.php

http://creainspire.com/1/eml.php

http://desenjoi.com.br/1/eml.php

http://www.inprofile.gr/1/eml.php

http://www.diem.cl/1/eml.php

http://www.discotecapuzzle.com/1/eml.php

http://ujscie.one.pl/777.gif

http://1point2.iae.nl/777.gif

http://appaloosa.no/777.gif

http://apromed.com/777.gif

http://arborfolia.com/777.gif

http://pawlacz.com/777.gif

http://areal-realt.ru/777.gif

http://bitel.ru/777.gif

http://yetii.no-ip.com/777.gif

http://art4u1.superhost.pl/777.gif

http://www.artbed.pl/777.gif

http://art-bizar.foxnet.pl/777.gif

http://www.jonogueira.com/777.gif

http://asdesign.cz/777.gif

http://ftp-dom.earthlink.net/777.gif

http://www.aureaorodeley.com/777.gif

http://www.autoekb.ru/777.gif

http://www.autovorota.ru/777.gif

http://avenue.ee/777.gif

http://www.avinpharma.ru/777.gif

http://ouarzazateservices.com/777.gif

http://stats-adf.altadis.com/777.gif

http://bartex-cit.com.pl/777.gif

http://bazarbekr.sk/777.gif

http://gnu.univ.gda.pl/777.gif

http://bid-usa.com/777.gif

http://biliskov.com/777.gif

http://biomedpel.cz/777.gif

http://blackbull.cz/777.gif

http://bohuminsko.cz/777.gif

http://bonsai-world.com.au/777.gif

http://bpsbillboards.com/777.gif

http://cadinformatics.com/777.gif

http://canecaecia.com/777.gif

http://www.castnetnultimedia.com/777.gif

http://compucel.com/777.gif

http://continentalcarbonindia.com/777.gif

http://ceramax.co.kr/777.gif

http://prime.gushi.org/777.gif

http://www.chapisteriadaniel.com/777.gif

http://charlesspaans.com/777.gif

http://chatsk.wz.cz/777.gif

http://www.chittychat.com/777.gif

http://checkalertusa.com/777.gif

http://cibernegocios.com.ar/777.gif

http://5050clothing.com/777.gif

http://cof666.shockonline.net/777.gif

http://comaxtechnologies.net/777.gif

http://concellodesandias.com/777.gif

http://www.cort.ru/777.gif

http://donchef.com/777.gif

http://www.crfj.com/777.gif

http://kremz.ru/777.gif

http://dev.jintek.com/777.gif

http://foxvcoin.com/777.gif

http://uwua132.org/777.gif

http://v-v-kopretiny.ic.cz/777.gif

http://erich-kaestner-schule-donaueschingen.de/777.gif

http://vanvakfi.com/777.gif

http://axelero.hu/777.gif

http://kisalfold.com/777.gif

http://vega-sps.com/777.gif

http://vidus.ru/777.gif

http://viralstrategies.com/777.gif

http://svatba.viskot.cz/777.gif

http://Vivamodelhobby.com/777.gif

http://vkinfotech.com/777.gif

http://vytukas.com/777.gif

http://waisenhaus-kenya.ch/777.gif

http://watsrisuphan.org/777.gif

http://www.ag.ohio-state.edu/777.gif

http://wbecanada.com/777.gif

http://calamarco.com/777.gif

http://vproinc.com/777.gif

http://grupdogus.de/777.gif

http://knickimbit.de/777.gif

http://dogoodesign.ch/777.gif

http://systemforex.de/777.gif

http://zebrachina.net/777.gif

http://www.walsch.de/777.gif

http://hotchillishop.de/777.gif

http://innovation.ojom.net/777.gif

http://massgroup.de/777.gif

http://web-comp.hu/777.gif

http://webfull.com/777.gif

http://welvo.com/777.gif

http://www.ag.ohio-state.edu/777.gif

http://poliklinika-vajnorska.sk/777.gif

http://wvpilots.org/777.gif

http://www.kersten.de/777.gif

http://www.kljbwadersloh.de/777.gif

http://www.voov.de/777.gif

http://www.wchat.cz/777.gif

http://www.wg-aufbau-bautzen.de/777.gif

http://www.wzhuate.com/777.gif

http://zsnabreznaknm.sk/777.gif

http://xotravel.ru/777.gif

http://ilikesimple.com/777.gif

http://yeniguntugla.com/777.gif

6.结束以下进程:

"ashAvast.exe"

"ashDisp.exe"

"ashEnhcd.exe"

"ashPopWz.exe"

"ashSimpl.exe"

"ashSkPck.exe"

"ashWebSv.exe"

"AUPDATE.EXE"

"Avconsol.exe"

"avgcc.exe"

"avgemc.exe"

"AVGNT.EXE"

"AVSCHED32.EXE"

"Avsynmgr.exe"

"AVWUPD32.EXE"

"bdmcon.exe"

"bdnews.exe"

"bdsubmit.exe"

"bdswitch.exe"

"cafix.exe"

"ccApp.exe"

"CCEVTMGR.EXE"

"CCSETMGR.EXE"

"ClamTray.exe"

"ClamWin.exe"

"CMGrdian.exe"

"drwadins.exe"

"drweb32w.exe"

"drwebscd.exe"

"drwebupw.exe"

"freshclam.exe"

"GUARDGUI.EXE"

"GuardNT.exe"

"INETUPD.EXE"

"InocIT.exe"

"InoUpTNG.exe"

"isafe.exe"

"KAV.exe"

"kavmm.exe"

"KAVPF.exe"

"LUALL.EXE"

"Luupdate.exe"

"Mcshield.exe"

"NAVAPSVC.EXE"

"nod32.exe"

"nod32kui.exe"

"NPFMNTOR.EXE"

"npfmsg.exe"

"Nvcod.exe"

"Nvcte.exe"

"Nvcut.exe"

"outpost.exe"

"pccguide.exe"

"PcCtlCom.exe"

"QHPF.EXE"

"Realmon.exe"

"regedit.exe"

"regedt32.exe"

"RuLaunch.exe"

"SNDSrvc.exe"

"SPBBCSvc.exe"

"spiderml.exe"

"symlcsvc.exe"

"Tmntsrv.exe"

"TmPfw.exe"

"tmproxy.exe"

"Up2Date.exe"

"upgrepl.exe"

"Vba32ECM.exe"

"Vba32ifs.exe"

"vba32ldr.exe"

"Vba32PP3.exe"

"Vshwin32.exe"

"VsStat.exe"

"zatutor.exe"

"zlclient.exe"

"zonealarm.exe"

"guardnt.sys"

"filtnt.sys"

avsvc.exe

bdmcon.exe

vsserv.exe

bdnews.exe

livesrv.exe

mcupdate.exe

frameworkservice.exe

upgrader.exe

apvxdwin.exe

LuComServer_2_5.EXE

lucomserver_2_6.exe

drwebupw.exe

nod32krn.exe

7.在被感染的机器上搜索以下的文件格式,查找邮件地址:

.wab

.txt

.msg

.htm

.shtm

.stm

.xml

.dbx

.mbx

.mdx

.eml

.nch

.mmf

.ods

.cfg

.asp

.php

.pl

.wsh

.adb

.tbb

.sht

.xls

.oft

.uin

.cgi

.mht

.dhtm

.jsp

8.不向含有以下字符的邮件地址发送邮件:

@hotmail

@msn

@microsoft

rating@

f-secur

news

update

anyone@

bugs@

contract@

feste

gold-certs@

help@

info@

nobody@

noone@

kasp

admin

icrosoft

support

ntivi

unix

bsd

linux

listserv

certific

sopho

@foo

@iana

free-av

@messagelab

winzip

google

winrar

samples

abuse

panda

cafee

spam

pgp

@avp.

noreply

local

root@

postmaster@

病毒名称(中文): 病毒别名: 威胁级别: ★☆☆☆☆ 病毒类型: 蠕虫病毒 病毒长度: 69842 影响系统: Win9xWinMeWinNTWin2000WinXPWin2003 病毒行为: 这是一种通过邮件传播的蠕虫病毒,该病毒搜索被感染机器上的邮件地址把自己的拷贝发送出去,并且会尝试下载新病毒变种。该病毒并且会生成驱动保护病毒,删除大量的注册表项,使被感染的机器无法进入安全模式。 1。生成文件: %ApplicationData%\hidn\hidn.exe %ApplicationData%\hidn\m_hook.sys C:\error.gif 2.当病毒第一次运行的时候会生成一下键值: HKCU\Software\FirstRuxzx FirstRun 3.起始项里面添加以下内容: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run drv_st_key 4.尝试连接smtp.google.com判定网络是否连通。 5.尝试下载以下文件: http://www.titanmotors.com/images/1/eml.php http://veranmaisala.com/1/eml.php http://wklight.nazwa.pl/1/eml.php http://yongsan24.co.kr/1/eml.php http://accesible.cl/1/eml.php http://hotelesalba.com/1/eml.php http://amdlady.com/1/eml.php http://inca.dnetsolution.net/1/eml.php http://www.auraura.com/1/eml.php http://avataresgratis.com/1/eml.php http://beyoglu.com.tr/1/eml.php http://brandshock.com/1/eml.php http://www.buydigital.co.kr/1/eml.php http://camaramafra.sc.gov.br/1/eml.php http://camposequipamentos.com.br/1/eml.php http://cbradio.sos.pl/1/eml.php http://c-d-c.com.au/1/eml.php http://www.klanpl.com/1/eml.php http://coparefrescos.stantonstreetgroup.com/1/eml.php http://creainspire.com/1/eml.php http://desenjoi.com.br/1/eml.php http://www.inprofile.gr/1/eml.php http://www.diem.cl/1/eml.php http://www.discotecapuzzle.com/1/eml.php http://ujscie.one.pl/777.gif http://1point2.iae.nl/777.gif http://appaloosa.no/777.gif http://apromed.com/777.gif http://arborfolia.com/777.gif http://pawlacz.com/777.gif http://areal-realt.ru/777.gif http://bitel.ru/777.gif http://yetii.no-ip.com/777.gif http://art4u1.superhost.pl/777.gif http://www.artbed.pl/777.gif http://art-bizar.foxnet.pl/777.gif http://www.jonogueira.com/777.gif http://asdesign.cz/777.gif http://ftp-dom.earthlink.net/777.gif http://www.aureaorodeley.com/777.gif http://www.autoekb.ru/777.gif http://www.autovorota.ru/777.gif http://avenue.ee/777.gif http://www.avinpharma.ru/777.gif http://ouarzazateservices.com/777.gif http://stats-adf.altadis.com/777.gif http://bartex-cit.com.pl/777.gif http://bazarbekr.sk/777.gif http://gnu.univ.gda.pl/777.gif http://bid-usa.com/777.gif http://biliskov.com/777.gif http://biomedpel.cz/777.gif http://blackbull.cz/777.gif http://bohuminsko.cz/777.gif http://bonsai-world.com.au/777.gif http://bpsbillboards.com/777.gif http://cadinformatics.com/777.gif http://canecaecia.com/777.gif http://www.castnetnultimedia.com/777.gif http://compucel.com/777.gif http://continentalcarbonindia.com/777.gif http://ceramax.co.kr/777.gif http://prime.gushi.org/777.gif http://www.chapisteriadaniel.com/777.gif http://charlesspaans.com/777.gif http://chatsk.wz.cz/777.gif http://www.chittychat.com/777.gif http://checkalertusa.com/777.gif http://cibernegocios.com.ar/777.gif http://5050clothing.com/777.gif http://cof666.shockonline.net/777.gif http://comaxtechnologies.net/777.gif http://concellodesandias.com/777.gif http://www.cort.ru/777.gif http://donchef.com/777.gif http://www.crfj.com/777.gif http://kremz.ru/777.gif http://dev.jintek.com/777.gif http://foxvcoin.com/777.gif http://uwua132.org/777.gif http://v-v-kopretiny.ic.cz/777.gif http://erich-kaestner-schule-donaueschingen.de/777.gif http://vanvakfi.com/777.gif http://axelero.hu/777.gif http://kisalfold.com/777.gif http://vega-sps.com/777.gif http://vidus.ru/777.gif http://viralstrategies.com/777.gif http://svatba.viskot.cz/777.gif http://Vivamodelhobby.com/777.gif http://vkinfotech.com/777.gif http://vytukas.com/777.gif http://waisenhaus-kenya.ch/777.gif http://watsrisuphan.org/777.gif http://www.ag.ohio-state.edu/777.gif http://wbecanada.com/777.gif http://calamarco.com/777.gif http://vproinc.com/777.gif http://grupdogus.de/777.gif http://knickimbit.de/777.gif http://dogoodesign.ch/777.gif http://systemforex.de/777.gif http://zebrachina.net/777.gif http://www.walsch.de/777.gif http://hotchillishop.de/777.gif http://innovation.ojom.net/777.gif http://massgroup.de/777.gif http://web-comp.hu/777.gif http://webfull.com/777.gif http://welvo.com/777.gif http://www.ag.ohio-state.edu/777.gif http://poliklinika-vajnorska.sk/777.gif http://wvpilots.org/777.gif http://www.kersten.de/777.gif http://www.kljbwadersloh.de/777.gif http://www.voov.de/777.gif http://www.wchat.cz/777.gif http://www.wg-aufbau-bautzen.de/777.gif http://www.wzhuate.com/777.gif http://zsnabreznaknm.sk/777.gif http://xotravel.ru/777.gif http://ilikesimple.com/777.gif http://yeniguntugla.com/777.gif 6.结束以下进程: "ashAvast.exe" "ashDisp.exe" "ashEnhcd.exe" "ashPopWz.exe" "ashSimpl.exe" "ashSkPck.exe" "ashWebSv.exe" "AUPDATE.EXE" "Avconsol.exe" "avgcc.exe" "avgemc.exe" "AVGNT.EXE" "AVSCHED32.EXE" "Avsynmgr.exe" "AVWUPD32.EXE" "bdmcon.exe" "bdnews.exe" "bdsubmit.exe" "bdswitch.exe" "cafix.exe" "ccApp.exe" "CCEVTMGR.EXE" "CCSETMGR.EXE" "ClamTray.exe" "ClamWin.exe" "CMGrdian.exe" "drwadins.exe" "drweb32w.exe" "drwebscd.exe" "drwebupw.exe" "freshclam.exe" "GUARDGUI.EXE" "GuardNT.exe" "INETUPD.EXE" "InocIT.exe" "InoUpTNG.exe" "isafe.exe" "KAV.exe" "kavmm.exe" "KAVPF.exe" "LUALL.EXE" "Luupdate.exe" "Mcshield.exe" "NAVAPSVC.EXE" "nod32.exe" "nod32kui.exe" "NPFMNTOR.EXE" "npfmsg.exe" "Nvcod.exe" "Nvcte.exe" "Nvcut.exe" "outpost.exe" "pccguide.exe" "PcCtlCom.exe" "QHPF.EXE" "Realmon.exe" "regedit.exe" "regedt32.exe" "RuLaunch.exe" "SNDSrvc.exe" "SPBBCSvc.exe" "spiderml.exe" "symlcsvc.exe" "Tmntsrv.exe" "TmPfw.exe" "tmproxy.exe" "Up2Date.exe" "upgrepl.exe" "Vba32ECM.exe" "Vba32ifs.exe" "vba32ldr.exe" "Vba32PP3.exe" "Vshwin32.exe" "VsStat.exe" "zatutor.exe" "zlclient.exe" "zonealarm.exe" "guardnt.sys" "filtnt.sys" avsvc.exe bdmcon.exe vsserv.exe bdnews.exe livesrv.exe mcupdate.exe frameworkservice.exe upgrader.exe apvxdwin.exe LuComServer_2_5.EXE lucomserver_2_6.exe drwebupw.exe nod32krn.exe 7.在被感染的机器上搜索以下的文件格式,查找邮件地址: .wab .txt .msg .htm .shtm .stm .xml .dbx .mbx .mdx .eml .nch .mmf .ods .cfg .asp .php .pl .wsh .adb .tbb .sht .xls .oft .uin .cgi .mht .dhtm .jsp 8.不向含有以下字符的邮件地址发送邮件: @hotmail @msn @microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ kasp admin icrosoft support ntivi unix bsd linux listserv certific sopho @foo @iana free-av @messagelab winzip google winrar samples abuse panda cafee spam pgp @avp. noreply local root@ postmaster@
󰈣󰈤
 
 
 
>>返回首页<<
 
 
 转载本文
 UBB代码 HTML代码
复制到剪贴板...
 
 热帖排行
 
 
王朝网络微信公众号
微信扫码关注本站公众号wangchaonetcn
 
 
静静地坐在废墟上,四周的荒凉一望无际,忽然觉得,凄凉也很美
©2005- 王朝网络 版权所有