Need help? Ask the community or hire an expert.
Go to Avira Answers
病毒:Worm/Bagle.EO
发现日期:13/12/2012
类型:蠕虫
广泛传播:
病毒传播个案呈报:低程度
感染/传播能力:中等程度
破坏 / 损害程度:中等程度
静态文件:
文件大小:20.672 字节
MD5 校检和:aee49aa81eceff74a4e5162b6284f989
VDF 版本:7.11.53.216 - 13 Aralık 2012 Perşembe
IVDF 版本:7.11.53.216 - 13 Aralık 2012 Perşembe

 况概描述 传播方法:
   • 电子邮件


别名:
   •  Kaspersky: Email-Worm.Win32.Bagle.eo
   •  TrendMicro: WORM_BAGLE.BX
   •  VirusBuster: I-Worm.Bagle.EZ
   •  Eset: Win32/Bagle.DR
   •  Bitdefender: Win32.Bagle.EO@mm


平台/操作系统:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP


副作用:
   • 下载恶意文件
   • 使用自置的电子邮件引擎
   • 降低系统安全设置
   • 注册表修改

 文件 它将本身复制到以下位置:
   • %SYSDIR%\wind2ll2.exe




它会尝试下载一些文件:

– 这些位置如下所示:
   • http://clickhare.com/images/**********
   • http://amerikansk-bulldog.dk/images/**********
   • http://eventpeopleforyou.com/help/**********
   • http://ekshrine.com/images/**********
   • http://www.familia-sanchez.net/images/**********
   • http://www.asymchem.com/images/**********
   • http://www.baku-xeber.com/images/**********
   • http://www.abmedical.pl/images/**********
   • http://www.cellphonemadeinchina.com/images/**********
它会保存在硬盘驱动器以下的位置: %WINDIR%\eml.exe 撰写本文时,此文件并未联机作深入调查。

– 这些位置如下所示:
   • http://localhost/**********
   • http://localhost/**********
   • http://localhost/**********
它会保存在硬盘驱动器以下的位置: %SYSDIR%\re_file.exe 撰写本文时,此文件并未联机作深入调查。

 注册表 会删除以下注册表项的注册值:

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
   • ICQ Net
   • SkynetsRevenge
   • KasperskyAVEng
   • Norton Antivirus AV
   • PandaAVEngine
   • EasyAV
   • SysMonXP
   • MsInfo
   • FirewallSvr
   • Jammer2nd
   • NetDy
   • HtProtect
   • ICQNet
   • Tiny AV
   • service
   • Special Firewall Service
   • Antivirus
   • 9XHtProtect
   • Zone Labs Client Ex
   • My AV

–  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
   • ICQ Net
   • SkynetsRevenge
   • KasperskyAVEng
   • Norton Antivirus AV
   • PandaAVEngine
   • EasyAV
   • SysMonXP
   • MsInfo
   • FirewallSvr
   • Jammer2nd
   • NetDy
   • HtProtect
   • ICQNet
   • Tiny AV
   • service
   • Special Firewall Service
   • Antivirus
   • 9XHtProtect
   • Zone Labs Client Ex
   • My AV

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
   • "erfgddfk"="%SYSDIR%\wind2ll2.exe"



会添加以下注册表项目注册值:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
   • "erfgddfk"="%SYSDIR%\wind2ll2.exe"

 电子邮件 它包含集成的 SMTP 引擎,用于发送电子邮件。 将与目标服务器建立直接连接。 下面说明了它的特征:


发件人:
发件地址是仿冒的。
机器生成的地址。 请不要认为向您发送此电子邮件是出于发件人的本意。 他可能并不知道计算机已被感染,甚至可能根本没有被感染。 此外,您可能还会收到一些退回的电子邮件,通知您已被感染。 情况也可能不是这样。


主题:
以下某项内容:
   • Foto&Video; MAIL.FOTO; D-Foto; S-Foto; m-foto; foto-flower;
      foto-forum; Foto.Md; foto-bank; web-foto; VIP-foto; foto-books;
      FOTO-DIGITAL; Internet-foto; foto telephone; foto land; OK-FOTO;
      AN-FOTO; Foto-War; FOTO HOME; Foto Portal; FOTO-1; FOTO-2; FOTO-3;
      FOTO-4; All-foto; my foto



正文:
电子邮件的正文如以下某行所示:
   • Foto&Video
   • MAIL.FOTO
   • D-Foto
   • S-Foto
   • m-foto
   • foto-flower
   • foto-forum
   • Foto.Md
   • foto-bank
   • web-foto
   • VIP-foto
   • foto-books
   • FOTO-DIGITAL
   • Internet-foto
   • foto telephone
   • foto land
   • OK-FOTO
   • AN-FOTO
   • Foto-War
   • FOTO HOME
   • Foto Portal
   • FOTO-1
   • FOTO-2
   • FOTO-3
   • FOTO-4
   • All-foto
   • my foto
   • Password:
   • The password is:


附件:
该文件的内容不是其本身的副本,而是另一个恶意软件的副本。

附件的文件名是以下某个名称:
   • Ales.zip; Alice.zip; Alyce.zip; Andrew.zip; Androw.zip; Androwe.zip;
      Ann.zip; Anna.zip; Anne.zip; Annes.zip; Anthonie.zip; Anthony.zip;
      Anthonye.zip; Avice.zip; Avis.zip; Bennet.zip; Bennett.zip;
      Christean.zip; Christian.zip; Constance.zip; Cybil.zip; Daniel.zip;
      Danyell.zip; Dorithie.zip; Dorothee.zip; Dorothy.zip; Edmond.zip;
      Edmonde.zip; Edmund.zip; Edward.zip; Edwarde.zip; Elizabeth.zip;
      Elizabethe.zip; Ellen.zip; Ellyn.zip; Emanual.zip; Emanuel.zip;
      Emanuell.zip; Ester.zip; Frances.zip; Francis.zip; Fraunces.zip;
      Gabriell.zip; Geoffraie.zip; George.zip; Grace.zip; Harry.zip;
      Harrye.zip; Henrie.zip; Henry.zip; Henrye.zip; Hughe.zip;
      Humphrey.zip; Humphrie.zip; Isabel.zip; Isabell.zip; James.zip;
      Jane.zip; Jeames.zip; Jeffrey.zip; Jeffrye.zip; Joane.zip; Johen.zip;
      John.zip; Josias.zip; Judeth.zip; Judith.zip; Judithe.zip;
      Katherine.zip; Katheryne.zip; Leonard.zip; Leonarde.zip; Margaret.zip;
      Margarett.zip; Margerie.zip; Margerye.zip; Margret.zip; Margrett.zip;
      Marie.zip; Martha.zip; Mary.zip; Marye.zip; Michael.zip; Mychaell.zip;
      Nathaniel.zip; Nathaniell.zip; Nathanyell.zip; Nicholas.zip;
      Nicholaus.zip; Nycholas.zip; Peter.zip; Ralph.zip; Rebecka.zip;
      Richard.zip; Richarde.zip; Robert.zip; Roberte.zip; Roger.zip;
      Rose.zip; Rycharde.zip; Samuell.zip; Sara.zip; Sidney.zip;
      Sindony.zip; Stephen.zip; Susan.zip; Susanna.zip; Suzanna.zip;
      Sybell.zip; Sybyll.zip; Syndony.zip; Thomas.zip; Valentyne.zip;
      William.zip; Winifred.zip; Wynefrede.zip; Wynefreed.zip;
      Wynnefreede.zip

 邮件  为 FROM (“发件人”) 字段生成地址:
为了生成地址,它会使用以下字符串:
   • Ales; Alice; Alyce; Andrew; Androw; Androwe; Ann; Anna; Anne; Annes;
      Anthonie; Anthony; Anthonye; Avice; Avis; Bennet; Bennett; Christean;
      Christian; Constance; Cybil; Daniel; Danyell; Dorithie; Dorothee;
      Dorothy; Edmond; Edmonde; Edmund; Edward; Edwarde; Elizabeth;
      Elizabethe; Ellen; Ellyn; Emanual; Emanuel; Emanuell; Ester; Frances;
      Francis; Fraunces; Gabriell; Geoffraie; George; Grace; Harry; Harrye;
      Henrie; Henry; Henrye; Hughe; Humphrey; Humphrie; Isabel; Isabell;
      James; Jane; Jeames; Jeffrey; Jeffrye; Joane; Johen; John; Josias;
      Judeth; Judith; Judithe; Katherine; Katheryne; Leonard; Leonarde;
      Margaret; Margarett; Margerie; Margerye; Margret; Margrett; Marie;
      Martha; Mary; Marye; Michael; Mychaell; Nathaniel; Nathaniell;
      Nathanyell; Nicholas; Nicholaus; Nycholas; Peter; Ralph; Rebecka;
      Richard; Richarde; Robert; Roberte; Roger; Rose; Rycharde; Samuell;
      Sara; Sidney; Sindony; Stephen; Susan; Susanna; Suzanna; Sybell;
      Sybyll; Syndony; Thomas; Valentyne; William; Winifred; Wynefrede;
      Wynefreed; Wynnefreede



避免地址:
它不会向包含以下某个字符串的地址发送电子邮件:
   • @eerswqe; @derewrdgrs; @microsoft; rating@; f-secur; news; update;
      anyone@; bugs@; contract@; feste; gold-certs@; help@; info@; nobody@;
      noone@; kasp; admin; icrosoft; support; ntivi; unix; bsd; linux;
      listserv; certific; sopho; @foo; @iana; free-av; @messagelab; winzip;
      google; winrar; samples; abuse; panda; cafee; spam; pgp; @avp.;
      noreply; local; root@; postmaster@


MX 服务器:
它不使用标准 MX 服务器。
它能够访问 MX 服务器:
   • smtp.mail.ru

 进程终止 它会尝试终止以下进程并删除相应的文件:
   • 1t1epad.exe
   • t1es1t.exe


 后门程序 会打开以下端口:

– %SYSDIR%\wind2ll2.exe 在 TCP 端口上 80 以便提供代理服务器。

 其他 它会创建以下 Mutex:
   • vMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
   • 'D'r'o'p'p'e'd'S'k'y'N'e't'
   • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
   • [SkyNet.cz]SystemsMutex
   • AdmSkynetJklS003
   • ____--->>>>U<<<<--____
   • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

 文件详细信息 运行时压缩程序:
为了提高检测难度以及减小文件,它已使用运行时压缩程序进行压缩。

Açıklamayı yerleştiren Irina Boldea tarihinde 26 Mayıs 2006 Cuma
Açıklamayı güncelleyen: Irina Boldea tarihinde 29 Mayıs 2006 Pazartesi

Geri . . . .
https:// Bu pencere güvenlik amacıyla şifrelenmiştir.