登入
歡迎您,
Language:
繁體中文
English
Deutsch
Français
Español
Italiano
Português
Русский
日本語
简体中文
繁體中文
欲瞭解有關我們公司和產品的更多資訊,
請訪問我們的全球網站
。
家庭及個人防護
企業資訊安全
技術支援
聯絡我們
Search
需要修復電腦?
聘請專家
摘要
病毒說明
統計資料
Alias:
W32.Beagle.H@mm, Win32.Bagle.Gen@mm, I- Worm.Bagle.H
Type:
Worm
Size:
~21.000 Bytes
Origin:
Date:
03-01-2004
Damage:
Sent by email.
VDF Version:
6.24.00.32
Danger:
Low
Distribution:
Medium
Distribution
The sender's address is faked and the attachment has a random file name and .zip extension. The ZIP archive is probably password-protected, and the arbitrary password is written in the email.
The subject is chosen out of the following:
:)
:)
:-)
^_^ meay-meay!
^_^ mew-mew (-:
ello! =))
Hey, dude, it's me ^_^ :P
Hey, ya! =))
Hi! :-)
Hokki =)
Weah, hello! :-)
Weeeeee! ;)))
The email body is one of the following:
Argh, i don't like the plaintext :)
I don't bite, weah!
Looking forward for a response :P
Argh, i don't like the plaintext :)
Argh, i don't like the plaintext :)
I don't bite, weah!
Looking forward for a response :P
The worm can insert a number of empty spaces between the words, to change the aspect.
If the attachment is a password-protected ZIP archive, the last line in the email body is:
- ...btw, "%arbitrary numbers%" is a password for archive
- archive password: %arbitrary numbers%
- password: %zarbitrary numbers%
- password -- %arbitrary numbers%
- pass: %arbitrary numbers%
- %arbitrary numbers% -- archive password
The attachment can have one of the following names:
Attach.zip
AttachedDocument.zip
AttachedFile.zip
Document.zip
Info.zip
Letter.zip
Message.zip
MoreInfo.zip
Msg.zip
MsgInfo.zip
Readme.zip
Text.zip
TextFile.zip
Technical Details
Worm/Bagle.F has a variable file size of ~24000 Bytes. The file is packed with PEX. The email attachment is a ZIP archive or even an executable program . If this is opened, the worm copies itself in Windows System with the name i11r54n4.exe (~21.000 Bytes) and creates the following files:
go54o.exe (24.064 Bytes)
ii5nj4.exe (1.536 Bytes)
i1ru54n4.exeopen (ZIP file ~21.000 Bytes)
The worm searches for email addresses and sends itself to them. It forges the sender's address in:
*.wab
*.txt
*.htm
*.html
*.dbx
*.mdx
*.eml
*.nch
*.mmf
*.ods
*.cfg
*.asp
*.php
*.pl
*.adb
*.sht
If the email address contains one of the following strings, no email is sent:
@avp
@hotmail.com
@microsoft
@msn.com
local
noreply
postmaster@
root@
The following registry entries are made:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"rate.exe"="C:\\WINDOWS\\System32\\i11r54n4.exe" [HKEY_CURRENT_USER\Software\winword]"frun"=dword:00000001
If the worm detects the following processes, it terminates them:
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
The worm loads one of the following websites:
http://postertog.de/scr.php
http://www.gfotxt.net/scr.php
http://www.maiklibis.de/scr.php
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二
返回
.
.
.
.
我的帳戶
https
://
為了你的安全,此視窗已加密。
登入
忘記密碼
重設密碼
我的個人檔案
產品
付款歷程記錄
通知
密碼重設
聯絡我們
登出
