病毒名称: Worm.Bagle.ao中文名称: 恶鹰变种AO威胁级别: 二级病毒别名: I-Worm.Bagle.ao[AVP]病毒类型: 邮件蠕虫、漏洞蠕虫、黑客、后门病毒类型: 蠕虫、木马受影响系统:Win9x/WinNT/Win2K/WinXP/Win2003
破坏方式:
A、使用自带的SMTP引擎大量发送病毒邮件,浪费大量网络资源,并可导致中小型邮件服务器极不稳定;B、中止被感染系统中的大量安全软件,使系统安全性下降;C、安装木马,木马下载病毒;D、在被感染的机器上开后门端口TCP 80和UDP 80,该端口可被利用转发邮件;E、通过P2P软件及局域网进行传播。
发作现象:
A、结束以下安全相关进程:ATUPDATER.EXE AUPDATE.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVPUPD.EXE AVWUPD32.EXE AVXQUAR.EXE CFIAUDIT.EXE DRWEBUPW.EXE ESCANH95.EXE ESCANHNT.EXE FIREWALL.EXE ICSSUPPNT.EXE ICSUPP95.EXE LUALL.EXE MCUPDATE.EXE NUPGRADE.EXE OUTPOST.EXE UPDATE.EXEB、从以下网站下载一个文件到%SystemRoot%\_re_file.exe,并执行allianzsp.sk coolweb.psg.sk cryofthespirit.com dollypop.com execpage.com helpdemos.com helpingyouth.org jamesbronner.com koti.pl miracle.v6.cz mountainwings.com mountainwings4.com naturalpros.com oracal.pl shock.evernet.com.pl SportLine.go.ro stroipolymer.ru theonlineword.com virtualchurch.com visionforsouls.org wingsoverlife.com www.1800thewoman.com www.1944.pl www.45partsdepot.com www.7pe.friko.pl www.air-computers.com.ar www.ametist.spb.ru www.apodis.pl www.arrasy.pl www.arthurspeaks.com www.astermed.pl www.atomique.pl www.atw.hu www.avatar.ee www.avers.com.pl www.baltexpo.spb.ru www.bomart.cz www.bravo.gliwice.pl www.bronnerbros.com www.buycare.com www.cumparacd.go.ro www.da-rom.co.il www.domu.net www.eastandard.co.ke www.elblu.republika.pl www.elcorsy.com www.elite-style.com www.enduser1.fast.net www.enitex.by www.enitex-m.by www.eris.pl www.europharm.pl www.extreme-racing.lg.ua www.fotel.pl www.fotolab.sk www.frater.hu www.gardameditech.com www.generex.de www.goldgates.com www.goodboy.dem.ru www.hards.pl www.healthcometh.com www.holz-studio.at www.ibplus.sk www.icpnet.pl www.icpnet.pl www.inlan.sk www.jamesbronner.com www.jbplus.cz www.justmatchit.com www.kubtelecom.ru www.kuda.com.ua www.lacittadifiorenzuola.it www.lotusdog.net www.ltvo.spb.ru www.master.pl www.members.aon.at www.moteplassen1.com www.mountainwings2.com www.multifoto.sk www.nadodrze.pl www.nairobiwebspace.com www.nameitright.com www.nardo.bbe.pl www.netland.gda.pl www.netta.pl www.nikola.piwko.pl www.ntrlab.com www.nustep.sk www.octava.pl www.odevnictvo.sk www.oftza.friko.pl www.oktbroiler.ru www.online40.com www.online50.com www.oto.lv www.pancoopzsv.co.yu www.pay5495.com www.pc-hard.com.ua www.perfect-beauty.at www.pharmag.pl www.polsl.katowice.pl www.prophetcollins.com www.propi.cz www.pursuit.rv.ua www.pyrlandia-boogie.pl www.quatro.sk www.r-bazar.ru www.roszkowski.pl www.silvic.ro www.sincron.go.ro www.skylive.pl www.smgkrc.pl www.soulring.com www.star-max.it www.sunbud.com.pl www.swez.net www.system5electronics.com www.tcvwebtv.com.ar www.thewoman.com www.tivis.cz www.ukpl.pl www.vacation-network.net www.wyspian.iap.pl www.zasada-rowery.plC、尝试在以下扩展名文件中搜索邮件地址:.adb .asp .cfg .cgi .dbx .dhtm .eml .htm .jsp .mbx .mdx .mht .mmf .msg .nch .ods .oft .php .pl .sht .shtm .stm .tbb .txt .uin .wab .wsh .xls .xml。
D、病毒发送的邮件附件为fotos.zip。
技术特点:
A、在注册表主键"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n"下添加如下键值:"erthgdr"=""%System%\windll.exe"B、在"%SYSTEM%"目录下,添加如下文件:"windll.exe"
C、在"%SYSTEM%"目录下,添加如下文件:"windll.exeopen"D、在"%SYSTEM%"目录下,添加如下文件:"windll.exeopenopen"E、创建以下互斥体来防止netsky及其变种的感染 MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D 'D'r'o'p'p'e'd'S'k'y'N'e't' _-oOaxX|- S - k - y - N - e - t -|XxKOo-_ [SkyNet.cz]SystemsMutex AdmSkynetJklS003 ____--->>>>U<<<<--____ _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_F、在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n与HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n9XHtProtect Antivirus EasyAV FirewallSvr HtProtect ICQ Net ICQNet Jammer2nd KasperskyAVEng MsInfo My AV NetDy Norton Antivirus AV PandaAVEngine SkynetsRevenge Special Firewall Service SysMonXP Tiny AV Zone Labs Client Ex serviceG、复制自身到包含"shar"字符串的目录下,病毒文件名可能为以下之一:Microsoft Office 2003 Crack, Working!.exe Microsoft Windows XP, WinXP Crack, working Keygen.exe Microsoft Office XP working Crack, Keygen.exe Porno, sex, oral, anal cool, awesome!!.exe Porno Screensaver.scr Serials.txt.exe KAV 5.0 Kaspersky Antivirus 5.0 Porno pics arhive, xxx.exe Windows Sourcecode update.doc.exe Ahead Nero 7.exe Windown Longhorn Beta Leak.exe Opera 8 New!.exe XXX hardcore images.exe WinAmp 6 New!.exe WinAmp 5 Pro Keygen Crack Update.exe Adobe Photoshop 9 full.exe Matrix 3 Revolution English Subtitles.exe ACDSee 9.exe
H、在系统目录下创建文件Doriot.exe Gdqfw.exe (该EXE其实为一个DLL文件)I、在注册表项HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run与HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run下增加值"wersds" = "%System%\doriot.exe"J、把Gdqfw.exe注入到Explorer.exe进程中
K、停止以下服务,并把启动类型改为"禁止"Windows XP Service Pack 2为: Windows Firewall/Internet Connection Sharing (ICS) Windows XP Service Pack 1 及以前的为:Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Windows 2000为:Internet Connection Sharing (ICS)