• 正在加载中...
  • Worm.Beagle.bf

    Worm.Beagle.bf是一种蠕虫病毒。病毒运行后注入Explorer.exe,阻止用户访问某些网站、阻止用户开启某些服务、移动系统中的文件、更改注册表并从网上下载病毒程序并运行等。

    编辑摘要

    目录

    概述/Worm.Beagle.bf 编辑

    病毒别名:
    处理时间
    威胁级别:★★
    中文名称:恶鹰变种BF
    病毒类型:蠕虫
    影响系统:Win9x / WinNT


     

    病毒行为/Worm.Beagle.bf 编辑

    病毒运行后注入Explorer.exe,阻止用户访问某些网站、阻止用户开启某些服务、移动系统中的文件、更改注册表并从网上下载病毒程序并运行等。

    一、病毒运行

    在系统的System32目录下生成winshost.exe和wiwshost.exe

    wiwshost.exe注入到Explorer.exe进程中

    并在注册表中填加如下一项
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
    "winshost.exe" - "C:\WINNT\System32\winshost.exe"

    二、遍历系统正在运行的进程,并强制关闭下列进程
    AVXQUAR.EXE
    ESCANHNT.EXE
    UPGRADER.EXE
    AVXQUAR.EXE
    AVWUPD32.EXE
    AVPUPD.EXE
    CFIAUDIT.EXE
    UPDATE.EXE
    NUPGRADE.EXE
    MCUPDATE.EXE
    ATUPDATER.EXE
    AUPDATE.EXE
    AUTOTRACE.EXE
    AUTOUPDATE.EXE
    FIREWALL.EXE
    ATUPDATER.EXE
    LUALL.EXE
    DRWEBUPW.EXE
    AUTODOWN.EXE
    NUPGRADE.EXE
    OUTPOST.EXE
    ICSSUPPNT.EXE
    ICSUPP95.EXE
    ESCANH95.EXE

    三、从下列地址下载文件并执行该文件:
    http://www.XXXgo.com.pt/osa.gif
    http://www.XXXvelourway.com/osa.gif
    http://www.XXXaserve.net/osa.gif
    http://www.XXXd.dobrcz.pl/osa.gif
    http://www.XXXd.at/osa.gif
    http://www.XXXld.at/osa.gif
    http://www.XXXgsley.ch/osa.gif
    http://www.XXXd.at/osa.gif
    http://www.XXXis-presley.ch/osa.gif
    http://www.XXXyhome.com.tw/osa.gif
    http://www.XXXr.cl/osa.gif
    http://www.XXXolfibras.com/osa.gif
    http://www.XXX4.ee/osa.gif
    http://www.XXXc.com/osa.gif
    http://www.XXXreme.cz/osa.gif
    http://www.XXXzn.cz/osa.gif
    http://www.XXXzn.cz/osa.gif
    http://www.XXXzn.cz/osa.gif
    http://www.XXXntong.net/osa.gif
    http://www.XXXpie.com/osa.gif
    http://www.XXXie.com/osa.gif
    http://www.XXXd.com/osa.gif
    http://www.XXXnick-spruyt.be/osa.gif
    http://www.XXXadownload.com/osa.gif
    http://www.XXXterdays.co.za/osa.gif
    http://www.XXXterdays.co.za/osa.gif
    http://www.XXXkj.com/osa.gif
    http://www.XXXkj.com/osa.gif
    http://www.XXXazcd.dp.ua/osa.gif
    http://www.XXXdents.stir.ac.uk/osa.gif
    http://www.XXXesoftware.com/osa.gif
    http://www.XXXtek.co.za/osa.gif
    http://www.XXXm.com/osa.gif
    http://www.XXXli.sk/osa.gif
    http://www.XXXbas.az/osa.gif
    http://www.XXXersala.edu.sk/osa.gif
    http://www.XXXapex.cz/osa.gif
    http://www.XXXptonic.ch/osa.gif
    http://www.XXXmarina.com/osa.gif
    http://www.XXXink.net/osa.gif
    http://www.XXXcoteka-funfactory.com/osa.gif
    http://www.XXXssain.be/osa.gif
    http://www.XXXs.be/osa.gif
    http://www.XXXeters.org/osa.gif
    http://www.XXXham.de/osa.gif
    http://www.XXXf.de/osa.gif
    http://www.XXXz.at/osa.gif
    http://www.XXXietaet.de/osa.gif
    http://www.XXXm-alliance.de/osa.gif
    http://www.XXXc-cassinadepecchi.it/osa.gif
    http://www.XXXiverse.sk/osa.gif
    http://www.XXXgjuok.com/osa.gif
    http://www.XXXtrox.com.tw/osa.gif
    http://www.XXXowerchair.com/osa.gif
    http://www.XXXripharm.com/osa.gif
    http://www.XXXll-cpa.com/osa.gif
    http://www.XXX-american.com/osa.gif
    http://www.XXXruyssenelektro.be/osa.gif
    http://www.XXXtrovestecasa.it/osa.gif
    http://www.XXX24h.com/osa.gif
    http://www.XXXimeloni.com/osa.gif
    http://www.XXXvjiet.ac.in/osa.gif
    http://www.XXXe2fateh.com/osa.gif
    http://www.XXXketvw.com/osa.gif
    http://www.XXXmholz.at/osa.gif
    http://www.XXXckonemedia.nl/osa.gif
    http://www.XXXomax.fi/osa.gif
    http://www.XXXpress-bank.pl/osa.gif
    http://www.XXXba.asn.au/osa.gif
    http://www.XXXwanjia.com/osa.gif
    http://www.XXXwanqing.com/osa.gif
    http://www.XXXp.co.za/osa.gif
    http://www.XXXomobilonline.de/osa.gif
    http://www.XXXgyan.cn/osa.gif
    http://www.XXXbuild.com/osa.gif
    http://www.XXXle.com.cn/osa.gif
    http://www.XXXleclub.com.cn/osa.gif
    http://www.XXXleclub.com.cn/osa.gif
    http://www.XXXjinyuan.com/osa.gif
    http://www.XXXigngong.org/osa.gif
    http://www.XXXmegaroy.com/osa.gif
    http://www.XXXchcorp.com/osa.gif
    http://www.XXXphoto.com/osa.gif
    http://www.XXXco.org/osa.gif
    http://www.XXXtmajor.ru/osa.gif
    http://www.XXXt3.org/osa.gif
    http://www.XXXsolutions.com/osa.gif
    http://www.XXXcium.biz/osa.gif
    http://www.XXXedcom.home.pl/osa.gif
    http://www.XXXrit-in-steel.at/osa.gif
    http://www.XXXj.az/osa.gif
    http://www.XXXt-paulus-bonn.dehtdocs/osa.gif
    http://www.XXXtbs.com.hk/osa.gif
    http://www.XXXohio.com/osa.gif
    http://www.XXXa.com.pe/osa.gif
    http://www.XXXsplanet.com/osa.gif
    http://www.XXXgodbio.com/osa.gif
    http://www.XXXerbetcs.com/osa.gif
    http://www.XXXj.vn/osa.gif
    http://www.XXXolo.com/osa.gif
    http://www.XXXdiheng.com/osa.gif
    http://www.XXXria.hu/osa.gif
    http://www.XXXternet.hu/osa.gif
    http://www.XXXndenservice.be/osa.gif
    http://www.XXXhc.hu/osa.gif
    http://www.XXXcampus.net/osa.gif
    http://www.XXXtentproject.com/osa.gif
    http://www.XXXtivalteatrooccidente.com/osa.gif
    http://www.XXXhni.com.cn/osa.gif
    http://www.XXXtivalteatrooccidente.com/osa.gif
    http://www.XXXifast.com/osa.gif
    http://www.XXXiventure.com/osa.gif
    http://www.XXXi.com.vn/osa.gif
    http://www.XXXplayu.com/osa.gif
    http://www.XXX-mutan.com/osa.gif
    http://www.XXXetexasoutfitter.com/osa.gif
    http://www.XXXhcsd1987.friko.pl/osa.gif
    http://www.XXXenextstep.tv/osa.gif
    http://www.XXXhenextstep.tv/osa.gif
    http://www.XXXsartproductions.com/osa.gif
    http://www.XXXlsonscountry.com/osa.gif
    http://www.XXXindstar.pl/osa.gif
    http://www.XXXe-industries.com/osa.gif
    http://www.XXXtold.pl/osa.gif
    http://www.XXXtold.pl/osa.gif
    http://www.XXXhg.net/osa.gif
    http://www.XXXovanet.sk/osa.gif
    http://www.XXXwombband.com/osa.gif
    http://www.XXXtanet.huwww.datanet.hu/osa.gif
    http://www.XXXg.hu/osa.gif
    http://www.XXXy.com.cn/osa.gif
    http://www.XXX-security.de/osa.gif
    http://www.XXXe-fliesen.de/osa.gif
    http://www.XXXm-invest.com.pl/osa.gif
    http://www.XXXlhardtgmbh.de/osa.gif
    http://www.XXXhrschule-herb.de/osa.gif
    http://www.XXXhrschule-lesser.de/osa.gif
    http://www.XXXimex-messzeuge.de/osa.gif
    http://www.XXXnside-tgweb.de/osa.gif
    http://www.XXXue-bo.com/osa.gif
    http://www.XXXniko.de/osa.gif
    http://www.XXXikogmbh.com/osa.gif
    http://www.XXXenegaderc.com/osa.gif
    http://www.XXXchsenbuecher.de/osa.gif
    http://www.XXXcvanravenswaaij.nl/osa.gif
    http://www.XXXpoden.de/osa.gif
    http://www.XXXportnf.com/osa.gif
    http://www.XXXweb.cz/osa.gif
    http://www.XXXg-sandhausen-basketball.de/osa.gif
    http://www.XXXefunkiest.com/osa.gif
    http://www.XXXthefunkiest.com/osa.gif
    http://www.XXXeoushinn.com/osa.gif
    http://www.XXXesley.ch/osa.gif
    四、删除下面的文件
    mysuperprog.exe

    五、更改下面文件的名称
    ccsetmgr.exe 改名为 C1CSETMGR.EXE
    CCEVTMGR.EXE 改名为 CC1EVTMGR.EXE
    NAVAPSVC.EXE 改名为 NAV1APSVC.EXE
    NPFMNTOR.EXE 改名为 NPFM1NTOR.EXE
    symlcsvc.exe 改名为 s1ymlcsvc.exe
    SPBBCSvc.exe 改名为 SP1BBCSvc.exe
    SNDSrvc.exe 改名为 SND1Srvc.exe
    ccapp.exe 改名为 ccA1pp.exe
    ccl30.dll 改名为 cc1l30.dll
    ccvrtrst.dll 改名为 ccv1rtrst.dll
    LUALL.EXE 改名为 LUAL1L.EXE
    AUPDATE.EXE 改名为 AUPD1ATE.EXE
    Luupdate.exe 改名为 Luup1date.exe
    LUINSDLL.DLL 改名为 LUI1NSDLL.DLL
    RuLaunch.exe 改名为 RuLa1unch.exe
    CMGrdian.exe 改名为 CM1Grdian.exe
    Mcshield.exe 改名为 Mcsh1ield.exe
    outpost.exe 改名为 outp1ost.exe
    Avconsol.exe 改名为 Avc1onsol.exe
    Vshwin32.exe 改名为 Vshw1in32.exe
    VsStat.exe 改名为 Vs1Stat.exe
    Avsynmgr.exe 改名为 Av1synmgr.exe
    kavmm.exe 改名为 kav12mm.exe
    Up2Date.exe 改名为 Up222Date.exe
    KAV.exe 改名为 K2A2V.exe
    avgcc.exe 改名为 avgc3c.exe
    avgemc.exe 改名为 avg23emc.exe
    zonealarm.exe 改名为 zo3nealarm.exe
    zatutor.exe 改名为 zatu6tor.exe
    zlavscan.dll 改名为 zl5avscan.dll
    zlclient.exe 改名为 zlcli6ent.exe
    isafe.exe 改名为 is5a6fe.exe
    cafix.exe 改名为 c6a5fix.exe
    vsvault.dll 改名为 vs6va5ult.dll
    av.dll 改名为 a5v.dll
    vetredir.dll 改名为 ve6tre5dir.dll

    六、删除下列注册表值、项:
    【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
    "Symantec NetDriver Monitor"
    【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
    "ccApp"
    【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
    "NAV CfgWiz"
    【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
    "SSC_UserPrompt"
    【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
    "McAfee Guardian"
    【HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
    "McAfee.InstantUpdate.Monitor"
    【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
    "APVXDWIN"
    【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
    "KAV50"
    【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
    "avg7_cc"
    【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
    "avg7_emc"
    【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
    "Zone Labs Client"
    【HKLM\SOFTWARE\Symantec】
    【HKLM\SOFTWARE\McAfee】
    【HKLM\SOFTWARE\kasperskyLab】
    【HKLM\SOFTWARE\Agnitum
    【HKLM\SOFTWARE\Panda Software】
    【HKLM\SOFTWARE\Zone Labs】

    七、阻止下列服务:
    wuauserv
    PAVSRV
    PAVFNSVR
    PSIMSVC
    Pavkre
    PavProt
    PREVSRV
    PavPrSrv
    SharedAccess
    navapsvc
    NPFMntor
    Outpost Firewall
    SAVScan
    SBService
    Symantec Core LC
    ccEvtMgr
    SNDSrvc
    ccPwdSvc
    ccSetMgr.exe
    SPBBCSvc
    KLBLMain
    avg7alrt
    avg7updsvc
    vsmon
    CAISafe
    avpcc
    fsbwsys
    backweb client - 4476822
    backweb client-4476822
    fsdfwd
    F-Secure Gatekeeper Handler Starter
    FSMA
    KAVMonitorService
    navapsvc
    NProtectService
    Norton Antivirus Server
    VexiraAntivirus
    dvpinit
    dvpapi
    schscnt
    BackWeb Client - 7681197
    F-Secure Gatekeeper Handler Starter
    FSMA
    AVPCC
    KAVMonitorService
    Norman NJeeves
    NVCScheduler
    nvcoas
    Norman ZANDA
    PASSRV
    SweepNet
    SWEEPSRV.SYS
    NOD32ControlCenter
    NOD32Service
    PCCPFW
    Tmntsrv
    AvxIni
    XCOMM
    ravmon8
    SmcService
    BlackICE
    PersFW
    McAfee Firewall
    OutpostFirewall
    NWService
    alerter
    sharedaccess
    NISUM
    NISSERV
    vsmon
    nwclnth
    nwclntg
    nwclnte
    nwclntf
    nwclntd
    nwclntc
    wuauserv
    navapsvc
    Symantec Core LC
    SAVScan
    kavsvc
    DefWatch
    Symantec AntiVirus Client
    NSCTOP
    Symantec Core LC
    SAVScan
    SAVFMSE
    ccEvtMgr
    navapsvc
    ccSetMgr
    VisNetic AntiVirus Plug-in
    McShield
    AlertManger
    McAfeeFramework
    AVExch32Service
    AVUPDService
    McTaskManager
    Network Associates Log Service
    Outbreak Manager
    MCVSRte
    mcupdmgr.exe
    AvgServ
    AvgCore
    AvgFsh
    awhost32
    Ahnlab task Scheduler
    MonSvcNT
    V3MonNT
    V3MonSvc
    FSDFWD


    八、阻止访问以下网站地址:
    updates1.kaspersky-labs.com
    ad.doubleclick.net
    ad.fastclick.net
    ads.fastclick.net
    ar.atwola.com
    atdmt.com
    avp.ch
    avp.com
    avp.ru
    awaps.net
    banner.fastclick.net
    banners.fastclick.net
    ca.com
    click.atdmt.com
    clicks.atdmt.com
    dispatch.mcafee.com
    download.mcafee.com
    download.microsoft.com
    downloads.microsoft.com
    engine.awaps.net
    fastclick.net
    f-secure.com
    ftp.f-secure.com
    ftp.sophos.com
    go.microsoft.com
    liveupdate.symantec.com
    mast.mcafee.com
    mcafee.com
    media.fastclick.net
    msdn.microsoft.com
    my-etrust.com
    nai.com
    networkassociates.com
    office.microsoft.com
    phx.corporate-ir.net
    secure.nai.com
    securityresponse.symantec.com
    service1.symantec.com
    sophos.com
    spd.atdmt.com
    support.microsoft.com
    symantec.com
    update.symantec.com
    updates.symantec.com
    us.mcafee.com
    vil.nai.com
    viruslist.ru
    windowsupdate.microsoft.com
    www.avp.ch
    www.avp.com
    www.avp.ru
    www.awaps.net
    www.ca.com
    www.fastclick.net
    www.f-secure.com
    www.kaspersky.ru
    www.mcafee.com
    www.my-etrust.com
    www.nai.com
    www.networkassociates.com
    www.sophos.com
    www.symantec.com
    www.trendmicro.com
    www.viruslist.ru
    ftp.kasperskylab.ru
    ftp.avp.ch
    www.kaspersky.ru
    updates1.kaspersky-labs.com
    updates3.kaspersky-labs.com
    updates4.kaspersky-labs.com
    updates2.kaspersky-labs.com
    updates5.kaspersky-labs.com
    downloads1.kaspersky-labs.com
    www.kaspersky-labs.com
    updates3.kaspersky-labs.com
    downloads1.kaspersky-labs.com
    www3.ca.com
    ids.kaspersky-labs.com
    downloads2.kaspersky-labs.com
    downloads1.kaspersky-labs.com
    downloads3.kaspersky-labs.com
    downloads4.kaspersky-labs.com
    liveupdate.symantecliveupdate.com
    liveupdate.symantec.com
    update.symantec.com
    download.mcafee.com
    www.symantec.com
    securityresponse.symantec.com
    symantec.com
    www.sophos.com
    sophos.com
    www.mcafee.com
    mcafee.com
    liveupdate.symantecliveupdate.com
    www.viruslist.com
    viruslist.com
    f-secure.com
    www.f-secure.com
    kaspersky.com
    kaspersky-labs.com
    www.avp.com
    www.kaspersky.com
    avp.com
    www.networkassociates.com
    networkassociates.com
    www.ca.com
    ca.com
    mast.mcafee.com
    my-etrust.com
    www.my-etrust.com
    download.mcafee.com
    dispatch.mcafee.com
    secure.nai.com
    nai.com
    www.nai.com
    update.symantec.com
    updates.symantec.com
    us.mcafee.com
    liveupdate.symantec.com
    customer.symantec.com
    rads.mcafee.com
    trendmicro.com
    www.trendmicro.com
    www.grisoft.com
    downloads-us1.kaspersky-labs.com
    downloads-us2.kaspersky-labs.com
    downloads-Us3.kaspersky-labs.com
    ftp.downloads2.kaspersky-labs.com

    添加视频 | 添加图册相关影像

    互动百科的词条(含所附图片)系由网友上传,如果涉嫌侵权,请与客服联系,我们将按照法律之相关规定及时进行处理。未经许可,禁止商业网站等复制、抓取本站内容;合理使用者,请注明来源于www.baike.com。

    登录后使用互动百科的服务,将会得到个性化的提示和帮助,还有机会和专业认证智愿者沟通。

    互动百科用户登录注册
    此词条还可添加  信息模块
    编辑摘要

    WIKI热度

    1. 编辑次数:5次 历史版本
    2. 参与编辑人数:5
    3. 最近更新时间:2013-03-28 16:39:15