Need help? Ask the community or hire an expert.
Go to Avira Answers
??:Worm/Bagle.FI
CME ??:328
????:13/12/2012
??:??
????:?
????????????????
??/?????????????
?? / ?????????
????:?
????:~19.000 ??
VDF ??:7.11.53.216
???:TR/Bagle.Gen.B

 ???? ????:
   • ????
   • ????


??:
   •  Symantec: W32.Beagle.DL@mm
   •  Mcafee: W32/Bagle.dp@MM
   •  Kaspersky: Email-Worm.Win32.Bagle.fj
   •  TrendMicro: WORM_BAGLE.CL
   •  F-Secure: W32/Bagle.DW@mm
   •  Sophos: Troj/BagleDl-BZ
   •  Panda: W32/Bagle.GS.worm
   •  VirusBuster: I-Worm.Bagle.GJ
   •  Eset: Win32/Bagle.FA
   •  Bitdefender: Win32.Worm.Bagle.FJ

???????:
     TR/Bagle.Gen.B


??/????:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


???:
   • ??????????
   • ????????
   • ????
   • ???????????
   • ????????
   • ?????

 ?? ???????????:
   • %SYSDIR%\sysformat.exe



?????????????????????????????????????????:
   • %SYSDIR%\sysformat.exeopen



?????????:

      aaa.exe ?? bbb.exe
      mysuperprog1.exe ?? mysuperprog2.exe



??????:
   • mysuperprog.exe



??????:

????????????????????:
   • %SYSDIR%\sysformat.exeopenopen

%SYSDIR%\sysformat.exeopenopenopen ???????????????????:
   • %?????%




????????:

????????:
   • http://www.cnsrvr.com/**********
   • http://www.casinofunnights.com/**********
   • http://www.ec.cox-wacotrib.com/**********
   • http://www.crazyiron.ru/**********
   • http://www.uni-esma.de/**********
   • http://www.sorisem.net/**********
   • http://www.varc.lv/**********
   • http://www.belwue.de/**********
   • http://www.thetildegroup.com/**********
   • http://www.vybercz.cz/**********
   • http://www.kyno.cz/**********
   • http://www.forumgestionvilles.com/**********
   • http://www.campus-and-more.com/**********
   • http://www.capitalforex.com/**********
   • http://www.capitalspreadspromo.com/**********
   • http://www.prineus.de/**********
   • http://www.databoots.de/**********
   • http://www.steintrade.net/**********
   • http://www.njzt.net/**********
   • http://www.emarrynet.com/**********
   • http://www.zebrachina.net/**********
   • http://www.lxlight.com/**********
   • http://www.yili-lighting.com/**********
   • http://www.fachman.com/**********
   • http://www.q-serwer.net/**********
   • http://www.wellness-i.com/**********
   • http://www.newportsystemsusa.com/**********
   • http://www.westcoastcadd.com/**********
   • http://www.wing49.cz/**********
   • http://www.posteffects.com/**********
   • http://www.provax.sk/**********
   • http://www.casinobrillen.de/**********
   • http://www.duodaydream.nl/**********
   • http://www.finlaw.ru/**********
   • http://www.fitdina.com/**********
   • http://www.flashcardplayer.com/**********
   • http://www.flox-avant.ru/**********
   • http://www.lotslink.com/**********
   • http://www.algor.com/**********
   • http://www.gaspekas.com/**********
   • http://www.ezybidz.com/**********
   • http://www.genesisfinancialonline.com/**********
   • http://www.georg-kuenzle.ch/**********
   • http://www.girardelli.com/**********
   • http://www.rodoslovia.ru/**********
   • http://www.golden-gross.ru/**********
   • http://www.gregoryolson.com/**********
   • http://www.gtechna.com/**********
   • http://www.lunardi.com/**********
   • http://www.sgmisburg.de/**********
   • http://www.harmony-farms.net/**********
   • http://www.hftmusic.com/**********
   • http://www.hiwmreport.com/**********
   • http://www.horizonimagingllc.com/**********
   • http://www.hotelbus.de/**********
   • http://www.howiwinmoney.com/**********
   • http://www.ietcn.com/**********
   • http://www.import-world.com/**********
   • http://www.houstonzoo.org/**********
   • http://www.interorient.ru/**********
   • http://www.internalcardreaders.com/**********
   • http://www.interstrom.ru/**********
   • http://www.iutoledo.org/**********
   • http://www.wena.net/**********
   • http://www.iesgrantarajal.org/**********
   • http://www.alexandriaradiology.com/**********
   • http://www.booksbyhunter.com/**********
   • http://www.wxcsxy.com/**********
   • http://www.coupdepinceau.com/**********
   • http://www.erotologist.com/**********
   • http://www.jackstitt.com/**********
   • http://www.imspress.com/**********
   • http://www.digitalefoto.net/**********
   • http://www.josemarimuro.com/**********
   • http://www.eversetic.com/**********
   • http://www.curious.be/**********
   • http://www.kameo-bijux.ru/**********
   • http://www.karrad6000.ru/**********
   • http://www.kaztransformator.kz/**********
   • http://www.keywordthief.com/**********
???????????????: %SYSDIR%\re_file.exe ???????????????????

 ??? ??????????????????????????????????

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • sysformat = %SYSDIR%\sysformat.exe



?????????????:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • My AV
   • ICQ Net

–  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • My AV
   • ICQ Net



???????????????????????:
   • [HKCU\Software\New Key 1\1]
   • [HKCU\Software\New Key 1\2]
   • [HKCU\Software\New Key 1\New Key 1]



?????????????:

[HKCU\Software\Microsoft\Params]
   • FirstRun = dword:00000001

[HKLM\SOFTWARE\Microsoft\DownloadManager]


?????????:

?? Windows ???:
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   ??:
   • Start = %???????%
   ??:
   • Start = dword:00000004

 ???? ?????? SMTP ???????????? ?????????????? ?????????:


???:
?????????


???:
– ????????????????????


??:
????:
   • price



??:
???????????:
   • February price


??:
?????????????:
   • price.zip
   • pricelst.zip
   • pricelist.zip
   • price_lst.zip
   • new_price.zip
   • February_price.zip
   • 21_price.zip
   • upd02.zip
   • Jol03.zip

????????????: %SYSDIR%\sysformat.exeopenopen



????????:


 ?? ????:
????????????????:
   • .wab; .txt; .msg; .htm; .shtm; .stm; .xml; .dbx; .mbx; .mdx; .eml;
      .nch; .mmf; .ods; .cfg; .asp; .php; .pl; .wsh; .adb; .tbb; .sht; .xls;
      .oft; .uin; .cgi; .mht; .dhtm; .jsp


????:
??????????????????????:
   • @microsoft; rating@; f-secur; news; update; anyone@; bugs@; contract@;
      feste; gold-certs@; help@; info@; nobody@; noone@; kasp; admin;
      icrosoft; support; ntivi; unix; bsd; linux; listserv; certific; sopho;
      @foo; @iana; free-av; @messagelab; winzip; google; winrar; samples;
      abuse; panda; cafee; spam; pgp; @avp.; noreply; local; root@;
      postmaster@


????????
??????? DNS ????
????? DNS ???:
   • 217.5.97.137

 P2P ????????????????????????:


   ???????????????:
   • shar

   ????????????:
   • 1.exe; 2.exe; 3.exe; 4.exe; 5.scr; 6.exe; 7.exe; 8.exe; 9.exe; 10.exe;
      Ahead Nero 7.exe; Windown Longhorn Beta Leak.exe; Opera 8 New!.exe;
      XXX hardcore images.exe; WinAmp 6 New!.exe; WinAmp 5 Pro Keygen Crack
      Update.exe; Adobe Photoshop 9 full.exe; Matrix 3 Revolution English
      Subtitles.exe; ACDSee 9.exe


 ?? ???????????????:

???????????????

?????????:
   • ad.doubleclick.net
   • ad.fastclick.net
   • ads.fastclick.net
   • ar.atwola.com
   • atdmt.com
   • avp.ch
   • avp.com
   • avp.ru
   • awaps.net
   • banner.fastclick.net
   • banners.fastclick.net
   • ca.com
   • click.atdmt.com
   • clicks.atdmt.com
   • dispatch.mcafee.com
   • download.mcafee.com
   • download.microsoft.com
   • downloads.microsoft.com
   • engine.awaps.net
   • fastclick.net
   • f-secure.com
   • ftp.f-secure.com
   • ftp.sophos.com
   • go.microsoft.com
   • liveupdate.symantec.com
   • mast.mcafee.com
   • mcafee.com
   • media.fastclick.net
   • msdn.microsoft.com
   • my-etrust.com
   • nai.com
   • networkassociates.com
   • office.microsoft.com
   • phx.corporate-ir.net
   • secure.nai.com
   • securityresponse.symantec.com
   • service1.symantec.com
   • sophos.com
   • spd.atdmt.com
   • support.microsoft.com
   • symantec.com
   • update.symantec.com
   • updates.symantec.com
   • us.mcafee.com
   • vil.nai.com
   • viruslist.ru
   • windowsupdate.microsoft.com
   • www.avp.ch
   • www.avp.com
   • www.avp.ru
   • www.awaps.net
   • www.ca.com
   • www.fastclick.net
   • www.f-secure.com
   • www.kaspersky.ru
   • www.mcafee.com
   • www.my-etrust.com
   • www.nai.com
   • www.networkassociates.com
   • www.sophos.com
   • www.symantec.com
   • www.trendmicro.com
   • www.viruslist.ru
   • www3.ca.com




????hosts ???????:


 ???? ???????:
   • mcagent.exe; mcvsshld.exe; mcshield.exe; mcvsescn.exe; mcvsrte.exe;
      DefWatch.exe; Rtvscan.exe; ccEvtMgr.exe; NISUM.EXE; ccPxySvc.exe;
      navapsvc.exe; NPROTECT.EXE; nopdb.exe; ccApp.exe; Avsynmgr.exe;
      VsStat.exe; Vshwin32.exe; alogserv.exe; RuLaunch.exe; Avconsol.exe;
      PavFires.exe; FIREWALL.EXE; ATUPDATER.EXE; LUALL.EXE; DRWEBUPW.EXE;
      AUTODOWN.EXE; NUPGRADE.EXE; OUTPOST.EXE; ICSSUPPNT.EXE; ICSUPP95.EXE;
      ESCANH95.EXE; AVXQUAR.EXE; ESCANHNT.EXE; ATUPDATER.EXE; AUPDATE.EXE;
      AUTOTRACE.EXE; AUTOUPDATE.EXE; AVXQUAR.EXE; AVWUPD32.EXE; AVPUPD.EXE;
      CFIAUDIT.EXE; UPDATE.EXE; NUPGRADE.EXE; MCUPDATE.EXE; pavsrv50.exe;
      AVENGINE.EXE; APVXDWIN.EXE; pavProxy.exe; navapw32.exe; navapsvc.exe;
      ccProxy.exe; navapsvc.exe; NPROTECT.EXE; SAVScan.exe; SNDSrvc.exe;
      symlcsvc.exe; LUCOMS~1.EXE; blackd.exe; bawindo.exe;
      FrameworkService.exe; VsTskMgr.exe; SHSTAT.EXE; UpdaterUI.exe


 ?? Mutex:
?????? Mutex:
   • vMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
   • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

 ?????? ???????:
???????????????????????????????

설명 삽입자 Andrei Gherman   2006년 2월 3일 금요일
설명 업데이트 Andrei Gherman   2006년 2월 10일 금요일

뒤로 . . . .
https:// 이 창은 보안을 위해 암호화되었습니다.