別名
WORM_BAGLE.AT, Bagle.AT, I-Worm.Bagle.at, W32.Bagle.AT@mm, w32/bagle.bb@mm
內容
W32.Bagle.AT@mm 是一種大量傳送電子郵件和利用點對點方式傳播的蠕蟲。傳播 W32.Bagle.AT@mm 蠕蟲的電郵會利用不同的主旨、內文和附件。附件檔案是下列其中一個可執行的延伸檔案類型: .EXE .SCR .COM .CPL。詳細電郵特徵,請參考 附錄。
當蠕蟲檔案被執行,它會複制自己到視窗的系統資料夾並命名為 wingo.exe ,同時為這個檔案建立一個登錄索引值:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]"wingo" = "%SystemDir%\wingo.exe"
若蠕蟲是利用 Windows Control Panel Applet (CPL) 檔案進行感染,它會預先藏下一個細小的二位元檔在自己的執行檔內。當 CPL 檔案被啟動時,它會複制自己到視窗的系統資料夾並命名為 cjector.exe 檔案,然後遺下蠕蟲檔案到視窗的系統資料夾。
蠕蟲會開啟了一個後門,監聽連接埠 81。這個後門的程式碼是利用密碼加密,知道密碼的蠕蟲作者可以連接到這部電腦和執行任意的程式。受感染的電腦會連接到預先設定的數個網址向作者報告。
破壞力
1. W32.Bagle.AT@mm 掃瞄硬碟來收集電郵地址向其他受害者進行傳播。以下的延伸檔案類型會被檢查:
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
2. 它會略過含有下列字串的電郵地址:
@hotmail@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
3. 它可以透過點對點客戶端的共享資料夾進行傳播。它掃瞄所有可用的磁碟機,若找到資料夾名稱包含了 'shar' 字串,蠕蟲會複制自己到那個資料夾並以下列名稱命名:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
4. 它會終止保安、防毒軟件和某些程式的程序。以下程序的程式會被終止:
mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe
5. 它會刪除與 W32.Netsky 變種蠕蟲相關的數個登錄索引值。
解決方案
1. 偵測及清除蠕蟲
電腦病毒防護軟件供應商已提供了新病毒清單去偵察及清除此病毒。
如果你沒有安裝任何電腦病毒防護軟件,你可以下載以下清除病毒的工具程式進行清除。
Symantechttp://securityresponse.symantec.com/avcenter/FxBeagle.exe
注意:請根據防毒軟件公司的指引來清除病毒和修復系統。
2. 防止防毒閘門產生大量的通告電郵
要防止防毒閘門產生大量的址通告電郵信息,你可以考慮暫時停止發出通告信息給寄件者。這個設定可以在病毒散播的高峰期過後恢復執行。詳情請參閱 <<因蠕蟲引致電郵汛濫的處理方法>>。
相關連結
詳情請參考以下連結:
Computer Associates 提供的資料
F-Secure 提供的資料 McAfee 提供的資料 -->Norman 提供的資料 Sophos 提供的資料 Symantec 提供的資料 Trend Micro 提供的資料
附錄
傳播 W32.Bagle.AT@mm 蠕蟲的電郵會具備以下特徵:
寄件者
偽冒的電郵地址
主旨
隨機抽選 (可能是以下的其中一個主旨):
Re:Re: HelloRe: Thank you!Re: Thanks :)Re: Hi
內文
隨機抽選 (可能是以下的其中一個):
:):))
附件
附件名稱可能是以下的其中一個附有 EXE, SCR, COM和CPL 延伸類型檔案:
PricepriceJoke
http://www.hkcert.org/valert/chi_vinfo/w32.bagle.at@mm.html
2006-06-29
Worm@W32.Beagle.35
Worm@W32.Beagle.35 駭蟲會終止其他病毒或防毒軟體,也會防止寄送含有某些字串的email addresses
Beagle.35 會開啟後門 TCP port 81 並透過自己的SMTP大量發送病毒信件,此隻駭蟲也會刪除登錄檔中,包含某些字串的值,使其無法常駐,如 Antivirus、service、ICQ Net 等。 基本介紹
病毒名稱
Worm@W32.Beagle.35
病毒別名
Win32.Bagle.AR [Computer Associates], W32/Bagle.bd@MM [McAfee]
病毒型態
Worm , E-Mail
病毒發現日期
2004/11/01
影響平台
Windows 95/98/ME , Windows NT/2000/XP/2003
風險評估
散播程度:中
破壞程度:低
Worm@W32.Beagle.35信件格式:
發信者:
主旨: < 下列任一個 > Re: Re: Hello Re: Hi Re: Thank you! Re: Thanks :)
內文: :))
附加檔案: < 下列任一個 > Price price Joke副檔名可能是.com,.cpl,.exe,or .scr。
Worm@W32.Beagle.35 行為描述:
註:在Win95/98/me %System% 預設值為 C:\windows\System
在WinNT/2000/XP/2003 %System% 系統預設值為 C:\WinNT\System32
駭蟲通常會終止下列的程序,通常和其他病毒或防毒軟體有關:
mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe
駭蟲會從下列其中一個下載檔案,儲存在%System%\re_file.exe,並且執行它:
www.bottombouncer.com
www.anthonyflanagan.com
www.bradster.com
www.traverse.com
www.ims-i.com
www.realgps.com
www.aviation-center.de
www.gci-bln.de
www.pankration.com
www.jansenboiler.com
www.corpsite.com
www.everett.wednet.edu
www.onepositiveplace.org
www.raecoinc.com
www.wwwebad.com
www.corpsite.com
www.wwwebmaster.com
www.dragcar.com
www.oohlala-kirkland.com
www.calderwoodinn.com
www.buddyboymusic.com
www.smacgreetings.com
www.tkd2xcell.com
www.curtmarsh.com
www.dontbeaweekendparent.com
www.soloconsulting.com
www.lasermach.com
www.generationnow.net
www.flashcorp.com
www.kencorbett.com
www.FritoPie.NET
www.leonhendrix.com
www.transportation.gov.bh
www.jhaforpresident.7p.com
www.DarrkSydebaby.com
www.cntv.info
www.sugardas.lt
www.adhdtests.com
www.argontech.net
www.customloyal.com
www.ohiolimo.com
www.topko.sk
www.alupass.lu
www.sigi.lu
www.redlightpictures.com
www.irinaswelt.de
www.bueroservice-it.de
www.kranenberg.de
www.the-fabulous-lions.de
www.mongolische-renner.de
www.capri-frames.de
www.aimcenter.net
www.boneheadmusic.com
www.fludir.is
www.sljinc.com
www.tivogoddess.com
www.fcpages.com
www.andara.com
www.freeservers.com
www.programmierung2000.de
www.asianfestival.nl
www.aviation-center.de
www.gci-bln.de
www.mass-i.kiev.ua
www.jasnet.pl
www.atlantisteste.hpg.com.br
www.fludir.is
www.rieraquadros.com.br
www.metal.pl
www.handsforhealth.com
www.angelartsanctuary.com
www.firstnightoceancounty.org
www.chinasenfa.com
www.ulpiano.org
www.gamp.pl
www.vikingpc.pl
www.woundedshepherds.com
www.cpc.adv.br
www.velocityprint.com
www.esperanzaparalafamilia.com
www.celula.com.mx
www.mexis.com
www.wecompete.com
www.vbw.info
www.gfn.org
www.aegee.org
www.deadrobot.com
www.cscliberec.cz
www.ecofotos.com.br
www.amanit.ru
www.bga-gsm.ru
www.innnewport.com
www.knicks.nl
www.srg-neuburg.de
www.mepmh.de
www.mepbisu.de
www.kradtraining.de
www.polizeimotorrad.de
www.sea.bz.it
www.uslungiarue.it
www.gcnet.ru
www.aimcenter.net
www.vandermost.de
www.szantomierz.art.pl
www.immonaut.sk
www.eurostavba.sk
www.spadochron.pl
www.pyrlandia-boogie.pl
www.kps4parents.com
www.pipni.cz
www.selu.edu
www.travelchronic.de
www.fleigutaetscher.ch
www.irakli.org
www.oboe-online.com
www.pe-sh.com
www.idb-group.net
www.ceskyhosting.cz
www.hartacorporation.com
www.glass.la
www.24-7-transportation.com
www.fepese.ufsc.br
www.ellarouge.com.au
www.bbsh.org
www.boneheadmusic.com
www.sljinc.com
www.tivogoddess.com
www.fcpages.com
www.szantomierz.art.pl
www.elenalazar.com
www.ssmifc.ca
www.reliance-yachts.com
www.worest.com.ar
www.kps4parents.com
www.coolfreepages.com
www.scanex-medical.fi
www.jimvann.com
www.orari.net
www.himpsi.org
www.mtfdesign.com
www.jldr.ca
www.relocationflorida.com
www.rentalstation.com
www.approved1stmortgage.com
www.velezcourtesymanagement.com
www.sunassetholdings.com
www.compsolutionstore.com
www.uhcc.com
www.justrepublicans.com
www.pfadfinder-leobersdorf.com
www.featech.com
www.vinirforge.com
www.magicbottle.com.tw
www.giantrevenue.com
www.couponcapital.net
www.crystalrose.ca
駭蟲會用下列名稱,複製自己到包含有"shar"字串的資料夾裡:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
駭蟲會停止和使下列services失效:
"SharedAccess" - Internet Connection Sharing
"wscsvc" - MS security center
駭蟲會開啟後門 TCP port 81。
駭蟲會搜尋下列副檔名裡的email addresses:
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
駭蟲會防止寄送,包含下列字串的email addresses:
@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
透過自己的SMTP大量發送病毒信件。
透過病毒執行後,將駭蟲本身複製到%System%
wingo.exewingo.exeopen wingo.exeopenopen wingo.exeopenopenopen wingo.exeopenopenopenopen
修改登錄檔,如此開機即會啟動駭蟲。
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
名稱=wingo 值=%System%\wingo.exe
刪除下列登錄檔中的值,使其無法常駐。
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
My AV Zone Labs Client Ex 9XHtProtect Antivirus Special Firewall Service service Tiny AV ICQNet HtProtect NetDy Jammer2nd FirewallSvr MsInfo SysMonXP EasyAV PandaAVEngine Norton Antivirus AV KasperskyAVEng SkynetsRevenge ICQ Net
駭蟲會刪除登錄檔中,包含下列字串的值,使其無法常駐。
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
http://web.nutn.edu.tw/608/virus/virus-128.htm
Beagle.35 會開啟後門 TCP port 81 並透過自己的SMTP大量發送病毒信件,此隻駭蟲也會刪除登錄檔中,包含某些字串的值,使其無法常駐,如 Antivirus、service、ICQ Net 等。 基本介紹
病毒名稱
Worm@W32.Beagle.35
病毒別名
Win32.Bagle.AR [Computer Associates], W32/Bagle.bd@MM [McAfee]
病毒型態
Worm , E-Mail
病毒發現日期
2004/11/01
影響平台
Windows 95/98/ME , Windows NT/2000/XP/2003
風險評估
散播程度:中
破壞程度:低
Worm@W32.Beagle.35信件格式:
發信者:
主旨: < 下列任一個 > Re: Re: Hello Re: Hi Re: Thank you! Re: Thanks :)
內文: :))
附加檔案: < 下列任一個 > Price price Joke副檔名可能是.com,.cpl,.exe,or .scr。
Worm@W32.Beagle.35 行為描述:
註:在Win95/98/me %System% 預設值為 C:\windows\System
在WinNT/2000/XP/2003 %System% 系統預設值為 C:\WinNT\System32
駭蟲通常會終止下列的程序,通常和其他病毒或防毒軟體有關:
mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe
駭蟲會從下列其中一個下載檔案,儲存在%System%\re_file.exe,並且執行它:
www.bottombouncer.com
www.anthonyflanagan.com
www.bradster.com
www.traverse.com
www.ims-i.com
www.realgps.com
www.aviation-center.de
www.gci-bln.de
www.pankration.com
www.jansenboiler.com
www.corpsite.com
www.everett.wednet.edu
www.onepositiveplace.org
www.raecoinc.com
www.wwwebad.com
www.corpsite.com
www.wwwebmaster.com
www.dragcar.com
www.oohlala-kirkland.com
www.calderwoodinn.com
www.buddyboymusic.com
www.smacgreetings.com
www.tkd2xcell.com
www.curtmarsh.com
www.dontbeaweekendparent.com
www.soloconsulting.com
www.lasermach.com
www.generationnow.net
www.flashcorp.com
www.kencorbett.com
www.FritoPie.NET
www.leonhendrix.com
www.transportation.gov.bh
www.jhaforpresident.7p.com
www.DarrkSydebaby.com
www.cntv.info
www.sugardas.lt
www.adhdtests.com
www.argontech.net
www.customloyal.com
www.ohiolimo.com
www.topko.sk
www.alupass.lu
www.sigi.lu
www.redlightpictures.com
www.irinaswelt.de
www.bueroservice-it.de
www.kranenberg.de
www.the-fabulous-lions.de
www.mongolische-renner.de
www.capri-frames.de
www.aimcenter.net
www.boneheadmusic.com
www.fludir.is
www.sljinc.com
www.tivogoddess.com
www.fcpages.com
www.andara.com
www.freeservers.com
www.programmierung2000.de
www.asianfestival.nl
www.aviation-center.de
www.gci-bln.de
www.mass-i.kiev.ua
www.jasnet.pl
www.atlantisteste.hpg.com.br
www.fludir.is
www.rieraquadros.com.br
www.metal.pl
www.handsforhealth.com
www.angelartsanctuary.com
www.firstnightoceancounty.org
www.chinasenfa.com
www.ulpiano.org
www.gamp.pl
www.vikingpc.pl
www.woundedshepherds.com
www.cpc.adv.br
www.velocityprint.com
www.esperanzaparalafamilia.com
www.celula.com.mx
www.mexis.com
www.wecompete.com
www.vbw.info
www.gfn.org
www.aegee.org
www.deadrobot.com
www.cscliberec.cz
www.ecofotos.com.br
www.amanit.ru
www.bga-gsm.ru
www.innnewport.com
www.knicks.nl
www.srg-neuburg.de
www.mepmh.de
www.mepbisu.de
www.kradtraining.de
www.polizeimotorrad.de
www.sea.bz.it
www.uslungiarue.it
www.gcnet.ru
www.aimcenter.net
www.vandermost.de
www.szantomierz.art.pl
www.immonaut.sk
www.eurostavba.sk
www.spadochron.pl
www.pyrlandia-boogie.pl
www.kps4parents.com
www.pipni.cz
www.selu.edu
www.travelchronic.de
www.fleigutaetscher.ch
www.irakli.org
www.oboe-online.com
www.pe-sh.com
www.idb-group.net
www.ceskyhosting.cz
www.hartacorporation.com
www.glass.la
www.24-7-transportation.com
www.fepese.ufsc.br
www.ellarouge.com.au
www.bbsh.org
www.boneheadmusic.com
www.sljinc.com
www.tivogoddess.com
www.fcpages.com
www.szantomierz.art.pl
www.elenalazar.com
www.ssmifc.ca
www.reliance-yachts.com
www.worest.com.ar
www.kps4parents.com
www.coolfreepages.com
www.scanex-medical.fi
www.jimvann.com
www.orari.net
www.himpsi.org
www.mtfdesign.com
www.jldr.ca
www.relocationflorida.com
www.rentalstation.com
www.approved1stmortgage.com
www.velezcourtesymanagement.com
www.sunassetholdings.com
www.compsolutionstore.com
www.uhcc.com
www.justrepublicans.com
www.pfadfinder-leobersdorf.com
www.featech.com
www.vinirforge.com
www.magicbottle.com.tw
www.giantrevenue.com
www.couponcapital.net
www.crystalrose.ca
駭蟲會用下列名稱,複製自己到包含有"shar"字串的資料夾裡:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
駭蟲會停止和使下列services失效:
"SharedAccess" - Internet Connection Sharing
"wscsvc" - MS security center
駭蟲會開啟後門 TCP port 81。
駭蟲會搜尋下列副檔名裡的email addresses:
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
駭蟲會防止寄送,包含下列字串的email addresses:
@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
透過自己的SMTP大量發送病毒信件。
透過病毒執行後,將駭蟲本身複製到%System%
wingo.exewingo.exeopen wingo.exeopenopen wingo.exeopenopenopen wingo.exeopenopenopenopen
修改登錄檔,如此開機即會啟動駭蟲。
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
名稱=wingo 值=%System%\wingo.exe
刪除下列登錄檔中的值,使其無法常駐。
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
My AV Zone Labs Client Ex 9XHtProtect Antivirus Special Firewall Service service Tiny AV ICQNet HtProtect NetDy Jammer2nd FirewallSvr MsInfo SysMonXP EasyAV PandaAVEngine Norton Antivirus AV KasperskyAVEng SkynetsRevenge ICQ Net
駭蟲會刪除登錄檔中,包含下列字串的值,使其無法常駐。
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
http://web.nutn.edu.tw/608/virus/virus-128.htm