Need help? Ask the community or hire an expert.
Go to Avira Answers
病毒:TR/Drop.Bagle.FR
发现日期:13/12/2012
类型:蠕虫
广泛传播:
病毒传播个案呈报:低程度
感染/传播能力:中等程度至高程度
破坏 / 损害程度:中等程度
静态文件:
文件大小:~27.000 字节
VDF 版本:7.11.53.216

 况概描述 传播方法:
   • 电子邮件
   • 对等网络


别名:
   •  Symantec: W32.Beagle.DS@mm
   •  Mcafee: W32/Sality.o
   •  Kaspersky: Email-Worm.Win32.Bagle.ae
   •  TrendMicro: WORM_BAGLE.EW
   •  Sophos: W32/Bagle-CO
   •  Panda: W32/Bagle.HC.worm
   •  Bitdefender: Win32.Bagle.FJ@mm


平台/操作系统:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


副作用:
   • 关闭安全应用程序
   • 植入恶意文件
   • 使用自置的电子邮件引擎
   • 注册表修改
   • 第三方控件


执行完毕之后会显示以下信息:


 文件 它将本身复制到以下位置:
   • %SYSDIR%\lmovie.exe



它复制本身到以下位置。这些文件中附加了随机字节或稍微更改,因此它们可能与原始文件不同:
   • %SYSDIR%\lmovie.exeopen
   • %SYSDIR%\lmovie.exeopenopen



创建以下文件:

– %WINDIR%\rvcualts32.exe 成功创建后,它会被执行。 进一步的调查表明,此文件是恶意软件。 检测为: Tr/Dldr.Bagle.FR

 注册表 会在无限循环中连续添加以下注册表项,以便在系统重新引导之后运行进程。

–  [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • MovieM = %SYSDIR%\lmovie.exe



会删除以下注册表项的注册值:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • 9XHtProtect
   • Antivirus
   • EasyAV
   • FirewallSvr
   • HtProtect
   • ICQ Net
   • ICQNet
   • Jammer2nd
   • KasperskyAVEng
   • MsInfo
   • My AV
   • NetDy
   • Norton Antivirus AV
   • PandaAVEngine
   • service
   • SkynetsRevenge
   • Special Firewall Service
   • SysMonXP
   • Tiny AV
   • Zone Labs Client Ex

–  [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • 9XHtProtect
   • Antivirus
   • EasyAV
   • FirewallSvr
   • HtProtect
   • ICQ Net
   • ICQNet
   • Jammer2nd
   • KasperskyAVEng
   • MsInfo
   • My AV
   • NetDy
   • Norton Antivirus AV
   • PandaAVEngine
   • service
   • SkynetsRevenge
   • Special Firewall Service
   • SysMonXP
   • Tiny AV
   • Zone Labs Client Ex

 电子邮件 它包含集成的 SMTP 引擎,用于发送电子邮件。 将与目标服务器建立直接连接。 下面说明了它的特征:


发件人:
发件地址是仿冒的。


收件人:
– 在系统上的特定文件中找到的电子邮件地址。


主题:
以下某项内容:
   • Come Be With Me, my Love!
   • Love you with all my heart!
   • My dream is coming true!
   • See you tonight!
   • Will You Be My Valentine?



正文:
– 包含 HTML 代码。
电子邮件的正文如下所示:

   • Click to attachment to load a picture
Love at the lips was touch
As sweet as I could bear;
And once that seemed too much;
I lived on air

That crossed me from sweet things,
The flow of - was it musk
From hidden grapevine springs
Down hill at dusk?

I had the swirl and ache
From sprays of honeysuckle
That when they re gathered shake
Dew on the knuckle.

I craved strong sweets, but those
Seemed strong when I was young;
The petal of the rose
It was that stung.

Now no joy but lacks salt
That is not dashed with pain
And weariness and fault;
I crave the stain

Of tears, the aftermark
Of almost too much love,
The sweet of bitter bark
And burning clove.

When stiff and sore and scarred
I take away my hand
From leaning on it hard
In grass and sand

The hurt is not enough:
I long for weight and strength
To feel the earth as rough
To all my length.


     

     

   • Click to attachment to load a movie
I woke up in a white room
with white lace curtains.
Snow covered landscape;
I’m in Memphis for certain

Yesterday, it took over three hours
just to travel the last twenty miles.
But nothing is like my wife’s family
always being greeted with smiles

I was hoping for a White Christmas.
You’d be surprise how simple I am.
Be careful what you wish for
God may be listening to your plan.

Most of the nation is covered
with that dangerous and beautiful thing
I am grateful for arriving safely
for my wife’s happiness is everything.

She wanted to see her family,
her father, uncles and aunts.
I ve kept her in Southwest Texas too long;
this trip I most willingly grant.

So, here we are now
in a snowy southern wonderland.
Waiting for Christmas dinner to come;
a present only my wife can understand


     
     


   • Execute attachment to load a movie
A stranger came to the door at eve,
And he spoke the bridegroom fair.
He bore a green-white stick in his hand,
And, for all burden, care.
He asked with the eyes more than the lips
For a shelter for the night,
And he turned and looked at the road afar
Without a window light.

The bridegroom came forth into the porch
With, "Let us look at the sky,
And question what of the night to be,
Stranger, you and I.
"The woodbine leaves littered the yard,
The woodbine berries were blue,
Autumn, yes, winter was in the wind;
"Stranger, I wish I knew."

Within, the bride in the dusk alone
Bent over the open fire,
Her face rose-red with the glowing coal
And the thought of the heart's desire.
The bridegroom looked at the weary road,
Yet saw but her within,
And wished her heart in a case of gold
And pinned with a silver pin.

The bridegroom thought it little to give
A dole of bread, a purse,
A heartfelt prayer for the poor of God,
Or for the rich a curse;
But whether or not a man was asked
To mar the love of two
by harboring woe in the bridal house,
The bridegroom wished he knew.


     
     



附件:
附件的文件名是以下某个名称:
   • love_me.exe
   • love_me_now.exe
   • mplay.exe



电子邮件可能如下所示:




 邮件 搜索地址:
它会在以下文件中搜索电子邮件地址:
   • .wab; .txt; .msg; .htm; .shtm; .stm; .xml; .dbx; .mbx; .mdx; .eml;
      .nch; .mmf; .ods; .cfg; .asp; .php; .pl; .wsh; .adb; .tbb; .sht; .xls;
      .oft; .uin; .cgi; .mht; .dhtm; .jsp


避免地址:
它不会向包含以下某个字符串的地址发送电子邮件:
   • @hotmail; @msn; @microsoft; rating@; f-secur; news; update; anyone@;
      bugs@; contract@; feste; gold-certs@; help@; info@; nobody@; noone@;
      kasp; admin; icrosoft; support; ntivi; unix; bsd; linux; listserv;
      certific; sopho; @foo; @iana; free-av; @messagelab; winzip; google;
      winrar; samples; abuse; panda; cafee; spam; pgp; @avp.; noreply;
      local; root@; postmaster@

 P2P 为了感染对等网络社区中的其他系统,会执行以下操作:  


   它会搜索包含以下子字符串的目录:
   • shar

   如果成功,会创建以下文件:
   • anna benson sex video.exe; kate beckinsale nude pictures.exe; jenna
      elfman sex anal deepthroat; miss america Porno, sex, oral, anal cool,
      awesome!!.exe; Porno Screensaver.scr; Serials.txt.exe; barrett jackson
      nude photos, movies, porn video.exe; Britney Spears sex photos.exe;
      paris hilton Porno pics arhive, xxx.exe; Windows Sourcecode
      update.doc.exe; Ahead Nero 10.exe; Windown Vista Beta Leak.exe; IE
      beta 7.exe; Serials 2005 database.exe; XXX hardcore images.exe; Adobe
      Photoshop 9 full.exe

   这些文件是恶意软件本身的副本。

 后门程序 会打开以下端口:

– lmovie.exe 在 TCP 端口上 6777 以便提供后门功能。


访问服务器:
以下内容:
   • http://ijj.**********

这是通过在 PHP 脚本中执行 HTTP GET 请求来完成的。


发送有关以下内容的信息:
    • 恶意软件当前状态

 其他 Mutex:
它会创建以下 Mutex:
   • vMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
   • 'D'r'o'p'p'e'd'S'k'y'N'e't'
   • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
   • [SkyNet.cz]SystemsMutex
   • AdmSkynetJklS003
   • ____--->>>>U<<<<--____
   • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

 文件详细信息 运行时压缩程序:
为了提高检测难度以及减小文件,它已使用运行时压缩程序进行压缩。

Beschrijving ingevoegd door Andrei Ivanes op woensdag 15 februari 2006
Beschrijving bijgewerkt door Andrei Ivanes op dinsdag 28 februari 2006

Terug . . . .
https:// Dit venster is voor uw veiligheid gecodeerd.