简介

病毒行为(建立互斥变量 生成文件 添加起始项，使病毒开机运行 删除注册表中的一下键的 修改Host文件,屏蔽大量安全网站 尝试链接下面的地址 从下面的网址下载病毒 搜索用户的有效邮箱地址,向外面发送文件 病毒中带有以下的信息)

简介

病毒名：Worm.Beagle.xk

处理时间：2005-08-26

威胁级别：★★

中文名称：恶鹰变种xk

病毒类型：蠕虫

影响系统：Win 9x/ME,Win 2000/NT,Win XP,Win 2003

病毒行为

该病毒通过邮件进行传播,并且利用pnp exploit (MS05-039)漏洞。病毒会屏蔽大量的安全软件网站,并从网上下载文件，并且会在受感染的机器的文件中搜索电子邮件地址，并向搜索到的地址发送邮件。通过发送各种软件的序列号来诱惑用户打开运行病毒程序。该病毒会向外发送大量的带毒邮件，严重影响到用户的安全。

通过建立Breatle-X-Beagle的互斥变量来确认系统中是否有其他恶鹰变种

建立互斥变量

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D

_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

生成文件

%system%\\winhost.exe

添加起始项，使病毒开机运行

HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

winhost.exe

删除注册表中的一下键的

HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

以下键值：

winhost.exe

WINDOWS SYSTEM

csm Win Updates

WinDrg32

Wintbp.exe

Wintbpx.exe

wintnpx.exe

erthgdr

erthgdr2

修改Host文件,屏蔽大量安全网站

127.0.0.1 www.ca.com

127.0.0.1 pandasoftware.com

127.0.0.1 www.nai.com

127.0.0.1 kaspersky.com

127.0.0.1 www.f-secure.com

127.0.0.1 download.mcafee.com

127.0.0.1 www.my-etrust.com

127.0.0.1 ca.com

127.0.0.1 www.kaspersky.com

127.0.0.1 www.sophos.com

127.0.0.1 mcafee.com

127.0.0.1 sophos.com

127.0.0.1 www.mcafee.com

127.0.0.1 symantec.com

127.0.0.1 www.pandasoftware.com

127.0.0.1 www.sarc.com

127.0.0.1 trendmicro.com

127.0.0.1 f-secure.com

127.0.0.1 liveupdate.symantec.com

127.0.0.1 us.mcafee.com

127.0.0.1 www.symantec.com

127.0.0.1 www.trendmicro.com

尝试链接下面的地址

www.fbi.gov

www.sophos.com

从下面的网址下载病毒

http://j0r.biz/proto.com

搜索用户的有效邮箱地址,向外面发送文件

邮件的发送者通过一下组合:

域名为一下随机一个:

@msn

@microsoft

@messagelab

@iana

@foo

@avp

发送着为一下随机一个:

root@

rating@

postmaster@

pgp

panda

ntivi

norton

noreply

noone@

nobody@

news

local

listserv

linux

kasp

info@

microsoft

help@

google

gold-certs@

free-av

feste

f-secur

contract@

certific

cafee

bugs@

bsd

anyone@

admin

abuse

并且阻止向下面的域名发送:

@trendmicro.com

@sarc.com

@msn.com

@f-secure.com

@securityfocus.com

@security.com

@kaspersky.com

@symantec.com

@sophos.com

@yahoo.com

@mcafee.com

@microsoft.com

@ca.com

@aol.com

邮件内容为一下随机一段:

Here is the file.

Message is in attach

See the attached file for details.

Pay attention at the attach.

Check attached file.

Check attached file for details.

Attached file tells everything.

Attach tells everything.

Please, read the document.

Your document is attached.

Please, have a look at the attached file.

See attach.

More info is in attach

Try this.

Your file is attached.

Read the attach.

Encrypted document

邮件的标题为：

Re: Hi Site changes Forum notify

Re: Protected message Protected message Fax Message Update Changes.. Notification

Re: Message Notify

Re: Incoming Msg

Re: Incoming Message Incoming message

Re: Document

Re: Text message

Re: Thanks :)

Re: Thank you!

Re: Yahoo!

Re: Re: Hello

Re: Msg reply

附件为病毒本身,命名为一下随机一个:

\\XXX hardcore images.exe

\\Windows Sourcecode update.doc .exe

\\Windown Longhorn Beta Leak.exe

\\WinAmp 6 New!.exe

\\Serials.txt .exe

\\Porno, sex, oral, anal cool, awesome!!.exe

\\Porno pics arhive, xxx.exe

\\Porno Screensaver.scr

\ew patch.exe

\ew document.doc .exe

\\Microsoft Windows XP, WinXP Crack, working Keygen.exe

\\Microsoft Office XP working Crack, Keygen.exe

\\Microsoft Office 2003 Crack, Working!.exe

\\Kaspersky Antivirus 5.0.exe

\\Ahead Nero 7.exe

病毒中带有以下的信息

如果你想抓住zotob的作者入狱，我可以给你提供相关的信息.

If you want zotob author for a crime i can tell you his email, information about his country and etc so you can arrest him easily。